| From 1fa2337a315a2448c5434f41e00d56b01a22283c Mon Sep 17 00:00:00 2001 |
| From: Mauro Carvalho Chehab <mchehab@osg.samsung.com> |
| Date: Tue, 28 Apr 2015 18:51:17 -0300 |
| Subject: [media] cx24116: fix a buffer overflow when checking userspace params |
| |
| From: Mauro Carvalho Chehab <mchehab@osg.samsung.com> |
| |
| commit 1fa2337a315a2448c5434f41e00d56b01a22283c upstream. |
| |
| The maximum size for a DiSEqC command is 6, according to the |
| userspace API. However, the code allows to write up much more values: |
| drivers/media/dvb-frontends/cx24116.c:983 cx24116_send_diseqc_msg() error: buffer overflow 'd->msg' 6 <= 23 |
| |
| Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/media/dvb-frontends/cx24116.c | 8 ++++---- |
| 1 file changed, 4 insertions(+), 4 deletions(-) |
| |
| --- a/drivers/media/dvb-frontends/cx24116.c |
| +++ b/drivers/media/dvb-frontends/cx24116.c |
| @@ -963,6 +963,10 @@ static int cx24116_send_diseqc_msg(struc |
| struct cx24116_state *state = fe->demodulator_priv; |
| int i, ret; |
| |
| + /* Validate length */ |
| + if (d->msg_len > sizeof(d->msg)) |
| + return -EINVAL; |
| + |
| /* Dump DiSEqC message */ |
| if (debug) { |
| printk(KERN_INFO "cx24116: %s(", __func__); |
| @@ -974,10 +978,6 @@ static int cx24116_send_diseqc_msg(struc |
| printk(") toneburst=%d\n", toneburst); |
| } |
| |
| - /* Validate length */ |
| - if (d->msg_len > (CX24116_ARGLEN - CX24116_DISEQC_MSGOFS)) |
| - return -EINVAL; |
| - |
| /* DiSEqC message */ |
| for (i = 0; i < d->msg_len; i++) |
| state->dsec_cmd.args[CX24116_DISEQC_MSGOFS + i] = d->msg[i]; |