diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2015-06-06 19:55:22 +0300 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@osg.samsung.com> | 2015-06-10 17:47:56 +0300 |
commit | 8d7e506350a3ff1b0659f7f5d65115a9be5ae37e (patch) | |
tree | 98299bf40e33546a3b42e4628108d8351c3ae3ef | |
parent | 5dce1ee611e4acd0893c77611d25fe5b1594764a (diff) | |
download | linux-8d7e506350a3ff1b0659f7f5d65115a9be5ae37e.tar.xz |
[media] dvb-core: prevent some corruption the legacy ioctl
Quite a few of the ->diseqc_send_master_cmd() implementations don't
check cmd->msg_len so it can lead to memory corruption.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-rw-r--r-- | drivers/media/dvb-core/dvb_frontend.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c index b30ca59de04f..842b9c8f80c6 100644 --- a/drivers/media/dvb-core/dvb_frontend.c +++ b/drivers/media/dvb-core/dvb_frontend.c @@ -2384,7 +2384,13 @@ static int dvb_frontend_ioctl_legacy(struct file *file, case FE_DISEQC_SEND_MASTER_CMD: if (fe->ops.diseqc_send_master_cmd) { - err = fe->ops.diseqc_send_master_cmd(fe, (struct dvb_diseqc_master_cmd*) parg); + struct dvb_diseqc_master_cmd *cmd = parg; + + if (cmd->msg_len > sizeof(cmd->msg)) { + err = -EINVAL; + break; + } + err = fe->ops.diseqc_send_master_cmd(fe, cmd); fepriv->state = FESTATE_DISEQC; fepriv->status = 0; } |