[media] dvb-core: prevent some corruption the legacy ioctl

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Quite a few of the ->diseqc_send_master_cmd() implementations don't
check cmd->msg_len so it can lead to memory corruption.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

authored by

Dan Carpenter and committed by

Mauro Carvalho Chehab 10 years ago 8d7e5063 5dce1ee6

+7 -1

1 changed file

expand all

drivers

media

dvb-core

dvb_frontend.c

+7 -1

drivers/media/dvb-core/dvb_frontend.c

··· 2384 2384 2385 2385 case FE_DISEQC_SEND_MASTER_CMD: 2386 2386 if (fe->ops.diseqc_send_master_cmd) { 2387 - err = fe->ops.diseqc_send_master_cmd(fe, (struct dvb_diseqc_master_cmd*) parg); 2387 + struct dvb_diseqc_master_cmd *cmd = parg; 2388 + 2389 + if (cmd->msg_len > sizeof(cmd->msg)) { 2390 + err = -EINVAL; 2391 + break; 2392 + } 2393 + err = fe->ops.diseqc_send_master_cmd(fe, cmd); 2388 2394 fepriv->state = FESTATE_DISEQC; 2389 2395 fepriv->status = 0; 2390 2396 }