Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b56b07e8 authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "radio-iris: check argument values before copying the data"

parents 037e5f5f 67118716

drivers/media/radio/radio-iris.c

+16 −3
Original line number Diff line number Diff line
@@ -3884,8 +3884,20 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv, 
		bytes_to_copy = (ctrl->controls[0]).size;

		spur_tbl_req.mode = data[0];

		spur_tbl_req.no_of_freqs_entries = data[1];

		spur_data = kmalloc((data[1] * SPUR_DATA_LEN) + 2,

							GFP_ATOMIC);



		if (((spur_tbl_req.no_of_freqs_entries * SPUR_DATA_LEN) !=

					bytes_to_copy - 2) ||

		    ((spur_tbl_req.no_of_freqs_entries * SPUR_DATA_LEN) >

					2 * FM_SPUR_TBL_SIZE)) {

			FMDERR("Invalid data len: data[1] = %d, bytes = %zu",

				spur_tbl_req.no_of_freqs_entries,

				bytes_to_copy);

			retval = -EINVAL;

			goto END;

		}

		spur_data =

		    kmalloc((spur_tbl_req.no_of_freqs_entries * SPUR_DATA_LEN)

							+ 2, GFP_ATOMIC);

		if (!spur_data) {

			FMDERR("Allocation failed for Spur data");

			retval = -EFAULT;
@@ -3900,7 +3912,8 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv, 


		if (spur_tbl_req.no_of_freqs_entries <= ENTRIES_EACH_CMD) {

			memcpy(&spur_tbl_req.spur_data[0], spur_data,

					(data[1] * SPUR_DATA_LEN));

				(spur_tbl_req.no_of_freqs_entries *

							SPUR_DATA_LEN));

			retval = radio_hci_request(radio->fm_hdev,

					hci_fm_set_spur_tbl_req,

					(unsigned long)&spur_tbl_req,