mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-09-04 20:19:47 +08:00
watchdog: ziirave_wdt: check record length in ziirave_firm_verify()
The "rec->len" value comes from the firmware. We generally do
trust firmware, but it's always better to double check. If
the length value is too large it would lead to memory corruption
when we set "data[i] = ret;"
Fixes: 217209db02 ("watchdog: ziirave_wdt: Add support to upload the firmware.")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/3b58b453f0faa8b968c90523f52c11908b56c346.1748463049.git.dan.carpenter@linaro.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
This commit is contained in:
Dan Carpenter
Wim Van Sebroeck
parent
d7b8f8e208
commit
8b61d8ca75
@ -302,6 +302,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd,
|
|||||||
const u16 len = be16_to_cpu(rec->len);
|
const u16 len = be16_to_cpu(rec->len);
|
||||||
const u32 addr = be32_to_cpu(rec->addr);
|
const u32 addr = be32_to_cpu(rec->addr);
|
||||||
|
|
||||||
|
if (len > sizeof(data))
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
if (ziirave_firm_addr_readonly(addr))
|
if (ziirave_firm_addr_readonly(addr))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user