commit 25379bf8bc4d4e83bd74d823048b85a95ae5a521
author Sean Young <sean@mess.org> Mon Jul 08 17:33:11 2013 -0300
committer Mauro Carvalho Chehab <m.chehab@samsung.com> Tue Jul 30 17:03:16 2013 -0300
tree 51acef42c7d8c85ddb15ccf5a277a2c4a63ef7ee
parent 58a61f99620d635fcdaf84c9b1818b79e11d28c5

[media] lirc: validate transmission ir data

The lirc interface allows 255 u32 spaces and pulses, which are usec. If
the driver can handle this (e.g. winbond-cir) you can produce hours of
meaningless IR data and there is no method of interrupting it.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>

drivers/media/rc/ir-lirc-codec.c

diff --git a/drivers/media/rc/ir-lirc-codec.c b/drivers/media/rc/ir-lirc-codec.c
index e456126..e5be920 100644
--- a/drivers/media/rc/ir-lirc-codec.c
+++ b/drivers/media/rc/ir-lirc-codec.c
@@ -140,11 +140,20 @@
 		goto out;
 	}
 
+	for (i = 0; i < count; i++) {
+		if (txbuf[i] > IR_MAX_DURATION / 1000 - duration || !txbuf[i]) {
+			ret = -EINVAL;
+			goto out;
+		}
+
+		duration += txbuf[i];
+	}
+
 	ret = dev->tx_ir(dev, txbuf, count);
 	if (ret < 0)
 		goto out;
 
-	for (i = 0; i < ret; i++)
+	for (duration = i = 0; i < ret; i++)
 		duration += txbuf[i];
 
 	ret *= sizeof(unsigned int);