Skip to content

Commit

Permalink
driver: Sanitize data_size value returned from devices
Browse files Browse the repository at this point in the history
We're using this value for some bounds checks and we should ensure that
we don't potentially get a data_size that's bigger than the arguments
array to avoid out of bounds reads.
  • Loading branch information
z3ntu committed Dec 4, 2022
1 parent 8f50fda commit 33aa7f0
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions driver/razercommon.c
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,14 @@ int razer_get_usb_response(struct usb_device *usb_dev, uint report_index, struct
result = 1;
}

if (WARN_ONCE(response_report->data_size > ARRAY_SIZE(response_report->arguments),
"Field data_size %d in response is bigger than arguments\n",
response_report->data_size)) {
/* Sanitize the value since at the moment callers don't respect the return code */
response_report->data_size = ARRAY_SIZE(response_report->arguments);
return -EINVAL;
}

return result;
}

Expand Down

0 comments on commit 33aa7f0

Please sign in to comment.