staging: bcm2835-camera: Fix buffer overflow calculation on query of camera properties

The code that queries properties on the camera has a check for buffer overruns if the firmware sends too much data. This check is incorrect, and during testing I was seeing stack corruption. I believe this error can actually happen in normal use, just for some reason it doesn't appear on 32 bit as often. So perhaps it's best for the check to be fixed. Signed-off-by: Michael Zoran <mzoran@crowfest.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Michael Zoran <mzoran@crowfest.net> 2017-03-09 21:08:57 -0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-03-10 10:12:10 +0100
commit: 85b1ac7359366e7386fb593427ee3e981e065259 (patch)
tree: 82f3437acd4f76cda5dff4b5ce8600bbeecd3e94 /drivers/staging/vc04_services
parent: 74369b5f22b72a4b4fd38a12f36251d38c022831 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
index 41de8956e421..976aa08365f2 100644
--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
@@ -1442,7 +1442,7 @@ static int port_parameter_get(struct vchiq_mmal_instance *instance,
 	}
 
 	ret = -rmsg->u.port_parameter_get_reply.status;
-	if (ret) {
+	if (ret || (rmsg->u.port_parameter_get_reply.size > *value_size)) {
 		/* Copy only as much as we have space for
 		 * but report true size of parameter
 		 */
author	Michael Zoran <mzoran@crowfest.net>	2017-03-09 21:08:57 -0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-03-10 10:12:10 +0100
commit	85b1ac7359366e7386fb593427ee3e981e065259 (patch)
tree	82f3437acd4f76cda5dff4b5ce8600bbeecd3e94 /drivers/staging/vc04_services
parent	74369b5f22b72a4b4fd38a12f36251d38c022831 (diff)