On Mon Apr 21 21:52:44 2025 +0900, Jeongjun Park wrote:
> rlen value is a user-controlled value, but dtv5100_i2c_msg() does not
> check the size of the rlen value. Therefore, if it is set to a value
> larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.
>
> Therefore, we need to add proper range checking to prevent this vuln.
>
> Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by
> zl10353")
> Cc: [email protected]
> Signed-off-by: Jeongjun Park <[email protected]>
> Signed-off-by: Hans Verkuil <[email protected]>
Patch committed.
Thanks,
Hans Verkuil
drivers/media/usb/dvb-usb/dtv5100.c | 5 +++++
1 file changed, 5 insertions(+)
---
diff --git a/drivers/media/usb/dvb-usb/dtv5100.c
b/drivers/media/usb/dvb-usb/dtv5100.c
index 3d85c6f7f6ec..c448e2ebda1a 100644
--- a/drivers/media/usb/dvb-usb/dtv5100.c
+++ b/drivers/media/usb/dvb-usb/dtv5100.c
@@ -55,6 +55,11 @@ static int dtv5100_i2c_msg(struct dvb_usb_device *d, u8 addr,
}
index = (addr << 8) + wbuf[0];
+ if (rlen > sizeof(st->data)) {
+ warn("rlen = %x is too big!\n", rlen);
+ return -EINVAL;
+ }
+
memcpy(st->data, rbuf, rlen);
msleep(1); /* avoid I2C errors */
return usb_control_msg(d->udev, pipe, request,
_______________________________________________
linuxtv-commits mailing list -- [email protected]
To unsubscribe send an email to [email protected]
