[Acked] [Lucid][Precise][CVE-2014-8884] [media] ttusb-dec: buffer overflow in ioctl
Andy Whitcroft
apw at canonical.com
Mon Nov 24 12:53:01 UTC 2014
On Mon, Nov 24, 2014 at 12:16:11PM +0000, Luis Henriques wrote:
> From: Dan Carpenter <dan.carpenter at oracle.com>
>
> We need to add a limit check here so we don't overflow the buffer.
>
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
> (backported from commit f2e323ec96077642d397bb1c355def536d489d16)
> CVE-2014-8884
> BugLink: http://bugs.launchpad.net/bugs/1395187
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> drivers/media/dvb/ttusb-dec/ttusbdecfe.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
> index 21260aad1e54..852870b80df3 100644
> --- a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
> +++ b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
> @@ -154,6 +154,9 @@ static int ttusbdecfe_dvbs_diseqc_send_master_cmd(struct dvb_frontend* fe, struc
> 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00 };
>
> + if (cmd->msg_len > sizeof(b) - 4)
> + return -EINVAL;
> +
> memcpy(&b[4], cmd->msg, cmd->msg_len);
>
> state->config->send_command(fe, 0x72,
Looks identicle to the original, simple, looks to do what is claimed,
therefore:
Acked-by: Andy Whitcroft <apw at canonical.com>
-apw
More information about the kernel-team
mailing list