From: Sean Young Date: Mon, 8 Jul 2013 20:33:11 +0000 (-0300) Subject: [media] lirc: validate transmission ir data X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=25379bf8bc4d4e83bd74d823048b85a95ae5a521;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git [media] lirc: validate transmission ir data The lirc interface allows 255 u32 spaces and pulses, which are usec. If the driver can handle this (e.g. winbond-cir) you can produce hours of meaningless IR data and there is no method of interrupting it. Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/rc/ir-lirc-codec.c b/drivers/media/rc/ir-lirc-codec.c index e4561264e124..e5be920c0599 100644 --- a/drivers/media/rc/ir-lirc-codec.c +++ b/drivers/media/rc/ir-lirc-codec.c @@ -140,11 +140,20 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf, goto out; } + for (i = 0; i < count; i++) { + if (txbuf[i] > IR_MAX_DURATION / 1000 - duration || !txbuf[i]) { + ret = -EINVAL; + goto out; + } + + duration += txbuf[i]; + } + ret = dev->tx_ir(dev, txbuf, count); if (ret < 0) goto out; - for (i = 0; i < ret; i++) + for (duration = i = 0; i < ret; i++) duration += txbuf[i]; ret *= sizeof(unsigned int);