Before parsing CISTPL_VERS_1 structure check that its size is at least two
bytes to prevent buffer overflow.
Signed-off-by: Pali Rohár <pali@xxxxxxxxxx>
---
drivers/mmc/core/sdio_cis.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c
index e0655278c5c3..3efaa9534a77 100644
--- a/drivers/mmc/core/sdio_cis.c
+++ b/drivers/mmc/core/sdio_cis.c
@@ -24,10 +24,13 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func,
const unsigned char *buf, unsigned size)
{
unsigned i, nr_strings;
char **buffer, *string;
+ if (size < 2)
+ return 0;
+
/* Find all null-terminated (including zero length) strings in
the TPLLV1_INFO field. Trailing garbage is ignored. */
buf += 2;
size -= 2;
--
2.20.1
