media: mceusb: Fix potential out-of-bounds shift

When processing a MCE_RSP_GETPORTSTATUS command, the bit index to set in ir->txports_cabled comes from response data, and isn't validated. As ir->txports_cabled is a u8, nothing should be done if the bit index is greater than 7. Cc: stable@vger.kernel.org Reported-by: syzbot+ec3b3128c576e109171d@syzkaller.appspotmail.com Signed-off-by: N James Reynolds <jr@memlen.com> Signed-off-by: N Sean Young <sean@mess.org> Signed-off-by: N Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

media: mceusb: Fix potential out-of-bounds shift
When processing a MCE_RSP_GETPORTSTATUS command, the bit index to set in ir->txports_cabled comes from response data, and isn't validated. As ir->txports_cabled is a u8, nothing should be done if the bit index is greater than 7. Cc: stable@vger.kernel.org Reported-by: syzbot+ec3b3128c576e109171d@syzkaller.appspotmail.com Signed-off-by: N James Reynolds <jr@memlen.com> Signed-off-by: N Sean Young <sean@mess.org> Signed-off-by: N Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
1b43bad3 · James Reynolds · Mauro Carvalho Chehab · 4487e021 · 1b43bad3
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/media/rc/mceusb.c drivers/media/rc/mceusb.c +1 -1

未找到文件。
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1169,7 +1169,7 @@ static void mceusb_handle_command(struct mceusb_dev *ir, u8 *buf_in)
 		switch (subcmd) {
 		/* the one and only 5-byte return value command */
 		case MCE_RSP_GETPORTSTATUS:
-			if (buf_in[5] == 0)
+			if (buf_in[5] == 0 && *hi < 8)
 				ir->txports_cabled |= 1 << *hi;
 			break;