[PATCH] media: cec: extron-da-hd-4k-plus: add sanity check

Linux Media Controller development
 help / color / mirror / Atom feed

* [PATCH] media: cec: extron-da-hd-4k-plus: add sanity check
@ 2026-06-18 11:03 Hans Verkuil
  2026-06-18 11:16 ` Hans Verkuil
  2026-06-29 14:03 ` Laurent Pinchart
  0 siblings, 2 replies; 4+ messages in thread
From: Hans Verkuil @ 2026-06-18 11:03 UTC (permalink / raw)
  To: Linux Media Mailing List

Add check to prevent overflowing msg.msg[] in case the incoming data
is malformed.

Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
---
diff --git a/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c b/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c
index 3381d86096a1..3c6ce6f3d93e 100644
--- a/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c
+++ b/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c
@@ -657,7 +657,8 @@ static void extron_process_received(struct extron_port *port, const char *data)
 	if (!port || port->disconnected)
 		return;

-	if (len < 5 || (len - 2) % 3 || data[len - 2] != '*')
+	if (len < 5 || ((len - 2) / 3 > sizeof(msg.msg)) ||
+	    (len - 2) % 3 || data[len - 2] != '*')
 		goto malformed;

 	while (*data != '*') {

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] media: cec: extron-da-hd-4k-plus: add sanity check
  2026-06-18 11:03 [PATCH] media: cec: extron-da-hd-4k-plus: add sanity check Hans Verkuil
@ 2026-06-18 11:16 ` Hans Verkuil
  2026-06-29 13:57   ` Sean Young
  2026-06-29 14:03 ` Laurent Pinchart
  1 sibling, 1 reply; 4+ messages in thread
From: Hans Verkuil @ 2026-06-18 11:16 UTC (permalink / raw)
  To: Linux Media Mailing List

On 18/06/2026 13:03, Hans Verkuil wrote:
> Add check to prevent overflowing msg.msg[] in case the incoming data
> is malformed.
> 
> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>

Fixes: 056f2821b631 ("media: cec: extron-da-hd-4k-plus: add the Extron DA HD 4K Plus CEC driver")
Cc: stable@vger.kernel.org

Regards,

	Hans

> ---
> diff --git a/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c b/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c
> index 3381d86096a1..3c6ce6f3d93e 100644
> --- a/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c
> +++ b/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c
> @@ -657,7 +657,8 @@ static void extron_process_received(struct extron_port *port, const char *data)
>  	if (!port || port->disconnected)
>  		return;
> 
> -	if (len < 5 || (len - 2) % 3 || data[len - 2] != '*')
> +	if (len < 5 || ((len - 2) / 3 > sizeof(msg.msg)) ||
> +	    (len - 2) % 3 || data[len - 2] != '*')
>  		goto malformed;
> 
>  	while (*data != '*') {
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] media: cec: extron-da-hd-4k-plus: add sanity check
  2026-06-18 11:16 ` Hans Verkuil
@ 2026-06-29 13:57   ` Sean Young
  0 siblings, 0 replies; 4+ messages in thread
From: Sean Young @ 2026-06-29 13:57 UTC (permalink / raw)
  To: Hans Verkuil; +Cc: Linux Media Mailing List

On Thu, Jun 18, 2026 at 01:16:22PM +0200, Hans Verkuil wrote:
> On 18/06/2026 13:03, Hans Verkuil wrote:
> > Add check to prevent overflowing msg.msg[] in case the incoming data
> > is malformed.
> > 
> > Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
> 
> Fixes: 056f2821b631 ("media: cec: extron-da-hd-4k-plus: add the Extron DA HD 4K Plus CEC driver")
> Cc: stable@vger.kernel.org

Looks good.

Reviewed-by: Sean Young <sean@mess.org>

> 
> Regards,
> 
> 	Hans
> 
> > ---
> > diff --git a/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c b/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c
> > index 3381d86096a1..3c6ce6f3d93e 100644
> > --- a/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c
> > +++ b/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c
> > @@ -657,7 +657,8 @@ static void extron_process_received(struct extron_port *port, const char *data)
> >  	if (!port || port->disconnected)
> >  		return;
> > 
> > -	if (len < 5 || (len - 2) % 3 || data[len - 2] != '*')
> > +	if (len < 5 || ((len - 2) / 3 > sizeof(msg.msg)) ||
> > +	    (len - 2) % 3 || data[len - 2] != '*')
> >  		goto malformed;
> > 
> >  	while (*data != '*') {
> > 
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] media: cec: extron-da-hd-4k-plus: add sanity check
  2026-06-18 11:03 [PATCH] media: cec: extron-da-hd-4k-plus: add sanity check Hans Verkuil
  2026-06-18 11:16 ` Hans Verkuil
@ 2026-06-29 14:03 ` Laurent Pinchart
  1 sibling, 0 replies; 4+ messages in thread
From: Laurent Pinchart @ 2026-06-29 14:03 UTC (permalink / raw)
  To: Hans Verkuil; +Cc: Linux Media Mailing List

Hi Hans,

Thank you for the patch.

On Thu, Jun 18, 2026 at 01:03:19PM +0200, Hans Verkuil wrote:
> Add check to prevent overflowing msg.msg[] in case the incoming data
> is malformed.
> 
> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
> ---
> diff --git a/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c b/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c
> index 3381d86096a1..3c6ce6f3d93e 100644
> --- a/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c
> +++ b/drivers/media/cec/usb/extron-da-hd-4k-plus/extron-da-hd-4k-plus.c
> @@ -657,7 +657,8 @@ static void extron_process_received(struct extron_port *port, const char *data)
>  	if (!port || port->disconnected)
>  		return;
> 
> -	if (len < 5 || (len - 2) % 3 || data[len - 2] != '*')
> +	if (len < 5 || ((len - 2) / 3 > sizeof(msg.msg)) ||

I think you should use ARRAY_SIZE

> +	    (len - 2) % 3 || data[len - 2] != '*')

This seems correct, but I think the code would be easier to read and
maintain if you wrote

	int len;

	/* The last two bytes are ignored because ... */
	len = strlen(data) - 2;

	/*
	 * Ensure the data has at least one message, at most the number
	 * of messages that fit in msg.msg, and no extra bytes.
	 */
	if (len < 3 || len / 3 > ARRAY_SIZE(msg.msg) || len % 3)
  		goto malformed;

	if (data[len] != '*')
  		goto malformed;

>  		goto malformed;
> 
>  	while (*data != '*') {
> 

-- 
Regards,

Laurent Pinchart

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-06-29 14:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-18 11:03 [PATCH] media: cec: extron-da-hd-4k-plus: add sanity check Hans Verkuil
2026-06-18 11:16 ` Hans Verkuil
2026-06-29 13:57   ` Sean Young
2026-06-29 14:03 ` Laurent Pinchart

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox