Skip to content
Permalink
Browse files Browse the repository at this point in the history
driver: Sanitize data_size value returned from devices
We're using this value for some bounds checks and we should ensure that
we don't potentially get a data_size that's bigger than the arguments
array to avoid out of bounds reads.
  • Loading branch information
z3ntu committed Dec 4, 2022
1 parent 8f50fda commit 33aa7f0
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions driver/razercommon.c
Expand Up @@ -107,6 +107,14 @@ int razer_get_usb_response(struct usb_device *usb_dev, uint report_index, struct
result = 1;
}

if (WARN_ONCE(response_report->data_size > ARRAY_SIZE(response_report->arguments),
"Field data_size %d in response is bigger than arguments\n",
response_report->data_size)) {
/* Sanitize the value since at the moment callers don't respect the return code */
response_report->data_size = ARRAY_SIZE(response_report->arguments);
return -EINVAL;
}

return result;
}

Expand Down

0 comments on commit 33aa7f0

Please sign in to comment.