drm/udl: Return error if vendor descriptor is too short

There need to be least 5 bytes in the vendor descriptor. Return
an error otherwise. Also change the branching to early-out on
the error. Adjust indention of the rest of the parser function.

The original length test expected more than 5 bytes in the vendor
descriptor. As a descriptor with no key-value pairs has exactly 5
bytes and is still valid, change the test to accept this case as
well.

v2
- clarify changes to length test in commit description (Patrik)

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://lore.kernel.org/r/20250410105948.25463-7-tzimmermann@suse.de

diff --git a/drivers/gpu/drm/udl/udl_main.c b/drivers/gpu/drm/udl/udl_main.c
index 4291ddb7158c4def7075c68eea9b8c1f0b9c0d1d..58d6065589d3a897ec4ab3ea9168bc1c4b41f356 100644 (file)
--- a/drivers/gpu/drm/udl/udl_main.c
+++ b/drivers/gpu/drm/udl/udl_main.c
@@ -45,43 +45,43 @@ static int udl_parse_vendor_descriptor(struct udl_device *udl)
                goto unrecognized;
        len = ret;
 
-       if (len > 5) {
-               DRM_INFO("vendor descriptor length: %u data:%11ph\n",
-                        len, desc);
-
-               if ((desc[0] != len) ||    /* descriptor length */
-                   (desc[1] != 0x5f) ||   /* vendor descriptor type */
-                   (desc[2] != 0x01) ||   /* version (2 bytes) */
-                   (desc[3] != 0x00) ||
-                   (desc[4] != len - 2))  /* length after type */
-                       goto unrecognized;
-
-               desc_end = desc + len;
-               desc += 5; /* the fixed header we've already parsed */
-
-               while (desc < desc_end) {
-                       u8 length;
-                       u16 key;
-
-                       key = le16_to_cpu(*((u16 *) desc));
-                       desc += sizeof(u16);
-                       length = *desc;
-                       desc++;
-
-                       switch (key) {
-                       case 0x0200: { /* max_area */
-                               u32 max_area;
-                               max_area = le32_to_cpu(*((u32 *)desc));
-                               DRM_DEBUG("DL chip limited to %d pixel modes\n",
-                                       max_area);
-                               udl->sku_pixel_limit = max_area;
-                               break;
-                       }
-                       default:
-                               break;
-                       }
-                       desc += length;
+       if (len < 5)
+               goto unrecognized;
+
+       DRM_INFO("vendor descriptor length: %u data:%11ph\n", len, desc);
+
+       if ((desc[0] != len) ||    /* descriptor length */
+           (desc[1] != 0x5f) ||   /* vendor descriptor type */
+           (desc[2] != 0x01) ||   /* version (2 bytes) */
+           (desc[3] != 0x00) ||
+           (desc[4] != len - 2))  /* length after type */
+               goto unrecognized;
+
+       desc_end = desc + len;
+       desc += 5; /* the fixed header we've already parsed */
+
+       while (desc < desc_end) {
+               u8 length;
+               u16 key;
+
+               key = le16_to_cpu(*((u16 *)desc));
+               desc += sizeof(u16);
+               length = *desc;
+               desc++;
+
+               switch (key) {
+               case 0x0200: { /* max_area */
+                       u32 max_area = le32_to_cpu(*((u32 *)desc));
+
+                       DRM_DEBUG("DL chip limited to %d pixel modes\n",
+                                 max_area);
+                       udl->sku_pixel_limit = max_area;
+                       break;
+               }
+               default:
+                       break;
                }
+               desc += length;
        }
 
        goto success;