[PATCH 3.19.y-ckt 022/251] [media] cx24117: fix a buffer overflow when checking userspace params
Kamal Mostafa
kamal at canonical.com
Thu Jul 16 01:05:43 UTC 2015
3.19.8-ckt4 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
commit 82e3b88b679049f043fe9b03991d6d66fc0a43c8 upstream.
The maximum size for a DiSEqC command is 6, according to the
userspace API. However, the code allows to write up much more values:
drivers/media/dvb-frontends/cx24116.c:983 cx24116_send_diseqc_msg() error: buffer overflow 'd->msg' 6 <= 23
Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
drivers/media/dvb-frontends/cx24117.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/dvb-frontends/cx24117.c b/drivers/media/dvb-frontends/cx24117.c
index acb965c..af63635 100644
--- a/drivers/media/dvb-frontends/cx24117.c
+++ b/drivers/media/dvb-frontends/cx24117.c
@@ -1043,7 +1043,7 @@ static int cx24117_send_diseqc_msg(struct dvb_frontend *fe,
dev_dbg(&state->priv->i2c->dev, ")\n");
/* Validate length */
- if (d->msg_len > 15)
+ if (d->msg_len > sizeof(d->msg))
return -EINVAL;
/* DiSEqC message */
--
1.9.1
More information about the kernel-team
mailing list