greybus: validate descriptor sizes

When interpreting a manifest descriptor header, don't assume there
is enough space in the buffer to hold a descriptor header.  Also,
verify the remaining buffer is at least as big as the reported
descriptor size.

Signed-off-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>

diff --git a/drivers/staging/greybus/core.c b/drivers/staging/greybus/core.c
index 61a4bc6687e66ec3973ecc08f6938a301a5635af..4b7034dc8558c6b22212302347fdd3752cc15799 100644 (file)
--- a/drivers/staging/greybus/core.c
+++ b/drivers/staging/greybus/core.c
@@ -395,8 +395,17 @@ struct greybus_device *greybus_new_module(struct device *parent,
        size -= sizeof(manifest->header);
        data += sizeof(manifest->header);
        while (size > 0) {
+               if (size < sizeof(desc->header)) {
+                       dev_err(parent, "remaining size %d too small\n", size);
+                       goto error;
+               }
                desc = (struct greybus_descriptor *)data;
                desc_size = le16_to_cpu(desc->header.size);
+               if (size < desc_size) {
+                       dev_err(parent, "descriptor size %d too big\n",
+                               desc_size);
+                       goto error;
+               }
 
                switch (le16_to_cpu(desc->header.type)) {
                case GREYBUS_TYPE_FUNCTION: