From patchwork Mon Jul 8 21:33:11 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Young X-Patchwork-Id: 2824995 Return-Path: X-Original-To: patchwork-linux-media@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id BE6F3C0AB2 for ; Mon, 8 Jul 2013 21:41:24 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id E46BD20154 for ; Mon, 8 Jul 2013 21:41:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F16002013D for ; Mon, 8 Jul 2013 21:41:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753204Ab3GHVlS (ORCPT ); Mon, 8 Jul 2013 17:41:18 -0400 Received: from pequod.mess.org ([46.65.169.142]:35814 "EHLO pequod.mess.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753234Ab3GHVlP (ORCPT ); Mon, 8 Jul 2013 17:41:15 -0400 Received: by pequod.mess.org (Postfix, from userid 1000) id BAF43E198; Mon, 8 Jul 2013 22:33:12 +0100 (BST) From: Sean Young To: Mauro Carvalho Chehab Cc: =?UTF-8?q?David=20H=C3=A4rdeman?= , linux-media@vger.kernel.org Subject: [PATCH] [media] lirc: validate transmission ir data Date: Mon, 8 Jul 2013 22:33:11 +0100 Message-Id: <1373319192-26816-4-git-send-email-sean@mess.org> X-Mailer: git-send-email 1.7.2.5 In-Reply-To: <1373319192-26816-1-git-send-email-sean@mess.org> References: <1373319192-26816-1-git-send-email-sean@mess.org> Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The lirc interface allows 255 u32 spaces and pulses, which are usec. If the driver can handle this (e.g. winbond-cir) you can produce hours of meaningless IR data and there is no method of interrupting it. Signed-off-by: Sean Young --- drivers/media/rc/ir-lirc-codec.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/media/rc/ir-lirc-codec.c b/drivers/media/rc/ir-lirc-codec.c index e456126..e5be920 100644 --- a/drivers/media/rc/ir-lirc-codec.c +++ b/drivers/media/rc/ir-lirc-codec.c @@ -140,11 +140,20 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf, goto out; } + for (i = 0; i < count; i++) { + if (txbuf[i] > IR_MAX_DURATION / 1000 - duration || !txbuf[i]) { + ret = -EINVAL; + goto out; + } + + duration += txbuf[i]; + } + ret = dev->tx_ir(dev, txbuf, count); if (ret < 0) goto out; - for (i = 0; i < ret; i++) + for (duration = i = 0; i < ret; i++) duration += txbuf[i]; ret *= sizeof(unsigned int);