* Patch "[media] cx24116: fix a buffer overflow when checking userspace params" has been added to the 3.14-stable tree
@ 2015-07-30 0:47 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2015-07-30 0:47 UTC (permalink / raw)
To: mchehab, gregkh; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
[media] cx24116: fix a buffer overflow when checking userspace params
to the 3.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
cx24116-fix-a-buffer-overflow-when-checking-userspace-params.patch
and it can be found in the queue-3.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 1fa2337a315a2448c5434f41e00d56b01a22283c Mon Sep 17 00:00:00 2001
From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Date: Tue, 28 Apr 2015 18:51:17 -0300
Subject: [media] cx24116: fix a buffer overflow when checking userspace params
From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
commit 1fa2337a315a2448c5434f41e00d56b01a22283c upstream.
The maximum size for a DiSEqC command is 6, according to the
userspace API. However, the code allows to write up much more values:
drivers/media/dvb-frontends/cx24116.c:983 cx24116_send_diseqc_msg() error: buffer overflow 'd->msg' 6 <= 23
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-frontends/cx24116.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/media/dvb-frontends/cx24116.c
+++ b/drivers/media/dvb-frontends/cx24116.c
@@ -963,6 +963,10 @@ static int cx24116_send_diseqc_msg(struc
struct cx24116_state *state = fe->demodulator_priv;
int i, ret;
+ /* Validate length */
+ if (d->msg_len > sizeof(d->msg))
+ return -EINVAL;
+
/* Dump DiSEqC message */
if (debug) {
printk(KERN_INFO "cx24116: %s(", __func__);
@@ -974,10 +978,6 @@ static int cx24116_send_diseqc_msg(struc
printk(") toneburst=%d\n", toneburst);
}
- /* Validate length */
- if (d->msg_len > (CX24116_ARGLEN - CX24116_DISEQC_MSGOFS))
- return -EINVAL;
-
/* DiSEqC message */
for (i = 0; i < d->msg_len; i++)
state->dsec_cmd.args[CX24116_DISEQC_MSGOFS + i] = d->msg[i];
Patches currently in stable-queue which might be from mchehab@osg.samsung.com are
queue-3.14/cx24116-fix-a-buffer-overflow-when-checking-userspace-params.patch
queue-3.14/saa7164-fix-querycap-warning.patch
queue-3.14/s5h1420-fix-a-buffer-overflow-when-checking-userspace-params.patch
queue-3.14/cx24117-fix-a-buffer-overflow-when-checking-userspace-params.patch
queue-3.14/af9013-don-t-accept-invalid-bandwidth.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-07-30 0:47 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-30 0:47 Patch "[media] cx24116: fix a buffer overflow when checking userspace params" has been added to the 3.14-stable tree gregkh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.