[PATCH 4.4 085/112] mmc: sdio: Check for CISTPL_VERS_1 buffer size

Greg Kroah-Hartman Tue, 27 Oct 2020 07:02:08 -0700

From: Pali Rohár <p...@kernel.org>

[ Upstream commit 8ebe2607965d3e2dc02029e8c7dd35fbe508ffd0 ]


Before parsing CISTPL_VERS_1 structure check that its size is at least two
bytes to prevent buffer overflow.

Signed-off-by: Pali Rohár <p...@kernel.org>
Link: https://lore.kernel.org/r/20200727133837.19086-2-p...@kernel.org
Signed-off-by: Ulf Hansson <ulf.hans...@linaro.org>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
 drivers/mmc/core/sdio_cis.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c
index 8e94e555b788d..8651bd30863d4 100644
--- a/drivers/mmc/core/sdio_cis.c
+++ b/drivers/mmc/core/sdio_cis.c
@@ -30,6 +30,9 @@ static int cistpl_vers_1(struct mmc_card *card, struct 
sdio_func *func,
        unsigned i, nr_strings;
        char **buffer, *string;
 
+       if (size < 2)
+               return 0;
+
        /* Find all null-terminated (including zero length) strings in
           the TPLLV1_INFO field. Trailing garbage is ignored. */
        buf += 2;
-- 
2.25.1

[PATCH 4.4 085/112] mmc: sdio: Check for CISTPL_VERS_1 buffer size

Reply via email to