diff mbox series

[git:media_tree/master] media: mceusb: Fix potential out-of-bounds shift

Message ID E1l022L-00EilM-BU@www.linuxtv.org
State Accepted
Commit 1b43bad31fb0e00f45baf5b05bd21eb8d8ce7f58
Headers show
Series [git:media_tree/master] media: mceusb: Fix potential out-of-bounds shift | expand

Commit Message

Mauro Carvalho Chehab Jan. 14, 2021, 12:45 p.m. UTC
This is an automatic generated email to let you know that the following patch were queued:

Subject: media: mceusb: Fix potential out-of-bounds shift
Author:  James Reynolds <jr@memlen.com>
Date:    Tue Dec 22 13:07:04 2020 +0100

When processing a MCE_RSP_GETPORTSTATUS command, the bit index to set in
ir->txports_cabled comes from response data, and isn't validated.

As ir->txports_cabled is a u8, nothing should be done if the bit index
is greater than 7.

Cc: stable@vger.kernel.org
Reported-by: syzbot+ec3b3128c576e109171d@syzkaller.appspotmail.com
Signed-off-by: James Reynolds <jr@memlen.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

 drivers/media/rc/mceusb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

---
diff mbox series

Patch

diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
index f1dbd059ed08..c8d63673e131 100644
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1169,7 +1169,7 @@  static void mceusb_handle_command(struct mceusb_dev *ir, u8 *buf_in)
 		switch (subcmd) {
 		/* the one and only 5-byte return value command */
 		case MCE_RSP_GETPORTSTATUS:
-			if (buf_in[5] == 0)
+			if (buf_in[5] == 0 && *hi < 8)
 				ir->txports_cabled |= 1 << *hi;
 			break;