[media] gspca: underflow in vidioc_s_parm()
Commit Message
"n" is a user controlled integer. The code here doesn't handle the case
where "n" is negative and this causes a static checker warning.
drivers/media/usb/gspca/gspca.c:1571 vidioc_s_parm()
warn: no lower bound on 'n'
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I haven't followed through to see if this is a real problem.
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Comments
Hi,
On 07-01-15 12:04, Dan Carpenter wrote:
> "n" is a user controlled integer. The code here doesn't handle the case
> where "n" is negative and this causes a static checker warning.
>
> drivers/media/usb/gspca/gspca.c:1571 vidioc_s_parm()
> warn: no lower bound on 'n'
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> I haven't followed through to see if this is a real problem.
Thanks for the report, it is a real problem, but since
parm->parm.capture.readbuffers is unsigned I've chosen to fix it
by making n unsigned too instead.
Regards,
Hans
>
> diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
> index 43d6505..27f7da1 100644
> --- a/drivers/media/usb/gspca/gspca.c
> +++ b/drivers/media/usb/gspca/gspca.c
> @@ -1565,6 +1565,8 @@ static int vidioc_s_parm(struct file *filp, void *priv,
> int n;
>
> n = parm->parm.capture.readbuffers;
> + if (n < 0)
> + return -EINVAL;
> if (n == 0 || n >= GSPCA_MAX_FRAMES)
> parm->parm.capture.readbuffers = gspca_dev->nbufread;
> else
>
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
@@ -1565,6 +1565,8 @@ static int vidioc_s_parm(struct file *filp, void *priv,
int n;
n = parm->parm.capture.readbuffers;
+ if (n < 0)
+ return -EINVAL;
if (n == 0 || n >= GSPCA_MAX_FRAMES)
parm->parm.capture.readbuffers = gspca_dev->nbufread;
else