drm/udl: Return error if vendor descriptor is too short

There need to be least 5 bytes in the vendor descriptor. Return an error otherwise. Also change the branching to early-out on the error. Adjust indention of the rest of the parser function. The original length test expected more than 5 bytes in the vendor descriptor. As a descriptor with no key-value pairs has exactly 5 bytes and is still valid, change the test to accept this case as well. v2 - clarify changes to length test in commit description (Patrik) Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Reviewed-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com> Link: https://lore.kernel.org/r/20250410105948.25463-7-tzimmermann@suse.de
2026-05-25 15:41:52 +02:00 · 2025-04-10 12:59:03 +02:00 · 2025-04-10 12:59:03 +02:00 · 1fad33f04e
commit 1fad33f04e
parent 895452ae48
1 changed files with 31 additions and 31 deletions
--- a/drivers/gpu/drm/udl/udl_main.c
+++ b/drivers/gpu/drm/udl/udl_main.c
@ -45,43 +45,43 @@ static int udl_parse_vendor_descriptor(struct udl_device *udl)
 		goto unrecognized;
 	len = ret;

-	if (len > 5) {
-		DRM_INFO("vendor descriptor length: %u data:%11ph\n",
-			 len, desc);
+	if (len < 5)
+		goto unrecognized;

-		if ((desc[0] != len) ||    /* descriptor length */
-		    (desc[1] != 0x5f) ||   /* vendor descriptor type */
-		    (desc[2] != 0x01) ||   /* version (2 bytes) */
-		    (desc[3] != 0x00) ||
-		    (desc[4] != len - 2))  /* length after type */
-			goto unrecognized;
+	DRM_INFO("vendor descriptor length: %u data:%11ph\n", len, desc);

-		desc_end = desc + len;
-		desc += 5; /* the fixed header we've already parsed */
+	if ((desc[0] != len) ||    /* descriptor length */
+	    (desc[1] != 0x5f) ||   /* vendor descriptor type */
+	    (desc[2] != 0x01) ||   /* version (2 bytes) */
+	    (desc[3] != 0x00) ||
+	    (desc[4] != len - 2))  /* length after type */
+		goto unrecognized;

-		while (desc < desc_end) {
-			u8 length;
-			u16 key;
+	desc_end = desc + len;
+	desc += 5; /* the fixed header we've already parsed */

-			key = le16_to_cpu(*((u16 *) desc));
-			desc += sizeof(u16);
-			length = *desc;
-			desc++;
+	while (desc < desc_end) {
+		u8 length;
+		u16 key;

-			switch (key) {
-			case 0x0200: { /* max_area */
-				u32 max_area;
-				max_area = le32_to_cpu(*((u32 *)desc));
-				DRM_DEBUG("DL chip limited to %d pixel modes\n",
-					max_area);
-				udl->sku_pixel_limit = max_area;
-				break;
-			}
-			default:
-				break;
-			}
-			desc += length;
+		key = le16_to_cpu(*((u16 *)desc));
+		desc += sizeof(u16);
+		length = *desc;
+		desc++;
+
+		switch (key) {
+		case 0x0200: { /* max_area */
+			u32 max_area = le32_to_cpu(*((u32 *)desc));
+
+			DRM_DEBUG("DL chip limited to %d pixel modes\n",
+				  max_area);
+			udl->sku_pixel_limit = max_area;
+			break;
 		}
+		default:
+			break;
+		}
+		desc += length;
 	}

 	goto success;