[PATCH] media: ttusb-dec: reject oversized packet lengths early

public inbox for linux-media@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] media: ttusb-dec: reject oversized packet lengths early
@ 2026-03-24  1:44 Pengpeng Hou
  2026-03-24  6:40 ` [PATCH v2] " Pengpeng Hou
  0 siblings, 1 reply; 2+ messages in thread
From: Pengpeng Hou @ 2026-03-24  1:44 UTC (permalink / raw)
  To: mchehab; +Cc: linux-media, linux-kernel, pengpeng

ttusb_dec_process_urb_frame() derives packet_payload_length directly
from bytes in the incoming USB stream and then uses that length to
append data into dec->packet[]. The driver only rejects oversized PVA
payloads later in ttusb_dec_process_pva(), after the receive state
machine has already filled the fixed packet buffer.

Reject packet lengths that cannot fit in dec->packet[] before advancing
the receive state machine to the bulk copy state.
---
 drivers/media/usb/ttusb-dec/ttusb_dec.c | 28 +++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c
index 825a3875989d..072ce5b09683 100644
--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c
+++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c
@@ -703,17 +703,41 @@ static void ttusb_dec_process_urb_frame(struct ttusb_dec *dec, u8 *b,
 
 			if (dec->packet_type == TTUSB_DEC_PACKET_PVA &&
 			    dec->packet_length == 8) {
-				dec->packet_state++;
+				unsigned int max_payload_length;
+
 				dec->packet_payload_length = 8 +
 					(dec->packet[6] << 8) +
 					dec->packet[7];
+				max_payload_length = sizeof(dec->packet) - 4;
+				if (dec->packet_payload_length >
+				    max_payload_length) {
+					printk("%s: packet too long - discarding\n",
+					       __func__);
+					dec->packet_state = 0;
+					dec->packet_length = 0;
+					break;
+				}
+				dec->packet_state++;
 			} else if (dec->packet_type ==
 					TTUSB_DEC_PACKET_SECTION &&
 				   dec->packet_length == 5) {
-				dec->packet_state++;
+				unsigned int max_payload_length;
+
 				dec->packet_payload_length = 5 +
 					((dec->packet[3] & 0x0f) << 8) +
 					dec->packet[4];
+				max_payload_length = sizeof(dec->packet) - 4;
+				if (dec->packet_payload_length % 2)
+					max_payload_length--;
+				if (dec->packet_payload_length >
+				    max_payload_length) {
+					printk("%s: packet too long - discarding\n",
+					       __func__);
+					dec->packet_state = 0;
+					dec->packet_length = 0;
+					break;
+				}
+				dec->packet_state++;
 			}
 
 			length--;
-- 
2.50.1 (Apple Git-155)


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [PATCH v2] media: ttusb-dec: reject oversized packet lengths early
  2026-03-24  1:44 [PATCH] media: ttusb-dec: reject oversized packet lengths early Pengpeng Hou
@ 2026-03-24  6:40 ` Pengpeng Hou
  0 siblings, 0 replies; 2+ messages in thread
From: Pengpeng Hou @ 2026-03-24  6:40 UTC (permalink / raw)
  To: mchehab; +Cc: linux-media, linux-kernel, pengpeng

ttusb_dec_process_urb_frame() derives packet_payload_length directly
from bytes in the incoming USB stream and then uses that length to
append data into dec->packet[]. The receive state machine does not
reject oversized packet lengths before it advances to the bulk copy
path, so malformed PVA or SECTION packets can exceed the fixed packet
buffer before packet-specific validation gets a chance to discard them.

Reject packet lengths that cannot fit in dec->packet[] before advancing
the receive state machine to the bulk copy state. Use
pr_warn_ratelimited() when discarding an oversized packet so malformed
streams cannot spam the log.

Found by static analysis.
Compile-tested only.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
v2:
- add the missing Signed-off-by line
- replace raw printk() calls with pr_warn_ratelimited()
- clarify the commit message so it matches the PVA and SECTION bounds
  checks in the patch

 drivers/media/usb/ttusb-dec/ttusb_dec.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c
index 825a3875989d..a9121fcaa5b9 100644
--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c
+++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c
@@ -703,17 +703,34 @@ static void ttusb_dec_process_urb_frame(struct ttusb_dec *dec, u8 *b,
 
 			if (dec->packet_type == TTUSB_DEC_PACKET_PVA &&
 			    dec->packet_length == 8) {
-				dec->packet_state++;
 				dec->packet_payload_length = 8 +
 					(dec->packet[6] << 8) +
 					dec->packet[7];
+				if (dec->packet_payload_length >
+				    sizeof(dec->packet) - 4) {
+					pr_warn_ratelimited("%s: packet too long - discarding\n",
+							    __func__);
+					dec->packet_state = 0;
+					dec->packet_length = 0;
+					break;
+				}
+				dec->packet_state++;
 			} else if (dec->packet_type ==
 					TTUSB_DEC_PACKET_SECTION &&
 				   dec->packet_length == 5) {
-				dec->packet_state++;
 				dec->packet_payload_length = 5 +
 					((dec->packet[3] & 0x0f) << 8) +
 					dec->packet[4];
+				if (dec->packet_payload_length >
+				    sizeof(dec->packet) - 4 -
+				    !!(dec->packet_payload_length % 2)) {
+					pr_warn_ratelimited("%s: packet too long - discarding\n",
+							    __func__);
+					dec->packet_state = 0;
+					dec->packet_length = 0;
+					break;
+				}
+				dec->packet_state++;
 			}
 
 			length--;
-- 
2.50.1 (Apple Git-155)


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-24  6:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-24  1:44 [PATCH] media: ttusb-dec: reject oversized packet lengths early Pengpeng Hou
2026-03-24  6:40 ` [PATCH v2] " Pengpeng Hou

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox