watchdog: ziirave_wdt: check record length in ziirave_firm_verify()

The "rec->len" value comes from the firmware. We generally do trust firmware, but it's always better to double check. If the length value is too large it would lead to memory corruption when we set "data[i] = ret;" Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Link: https://lore.kernel.org/r/3b58b453f0faa8b968c90523f52c11908b56c346.1748463049.git.dan.carpenter@linaro.org Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
author: Dan Carpenter <dan.carpenter@linaro.org> 2025-05-28 23:22:19 +0300
committer: Wim Van Sebroeck <wim@linux-watchdog.org> 2025-07-16 18:05:00 +0200
commit: 8b61d8ca751bc15875b50e0ff6ac3ba0cf95a529 (patch)
tree: f0514a96511a2d07f1dcb944254ee7a2a27522e7
parent: d7b8f8e20813f0179d8ef519541a3527e7661d3a (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/watchdog/ziirave_wdt.c b/drivers/watchdog/ziirave_wdt.c
index fcc1ba02e75b..5c6e3fa001d8 100644
--- a/drivers/watchdog/ziirave_wdt.c
+++ b/drivers/watchdog/ziirave_wdt.c
@@ -302,6 +302,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd,
 		const u16 len = be16_to_cpu(rec->len);
 		const u32 addr = be32_to_cpu(rec->addr);
 
+		if (len > sizeof(data))
+			return -EINVAL;
+
 		if (ziirave_firm_addr_readonly(addr))
 			continue;
author	Dan Carpenter <dan.carpenter@linaro.org>	2025-05-28 23:22:19 +0300
committer	Wim Van Sebroeck <wim@linux-watchdog.org>	2025-07-16 18:05:00 +0200
commit	8b61d8ca751bc15875b50e0ff6ac3ba0cf95a529 (patch)
tree	f0514a96511a2d07f1dcb944254ee7a2a27522e7
parent	d7b8f8e20813f0179d8ef519541a3527e7661d3a (diff)