[media] dvb-core: prevent some corruption the legacy ioctl
Quite a few of the ->diseqc_send_master_cmd() implementations don't check cmd->msg_len so it can lead to memory corruption. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
This commit is contained in:
parent
5dce1ee611
commit
8d7e506350
|
@ -2384,7 +2384,13 @@ static int dvb_frontend_ioctl_legacy(struct file *file,
|
|||
|
||||
case FE_DISEQC_SEND_MASTER_CMD:
|
||||
if (fe->ops.diseqc_send_master_cmd) {
|
||||
err = fe->ops.diseqc_send_master_cmd(fe, (struct dvb_diseqc_master_cmd*) parg);
|
||||
struct dvb_diseqc_master_cmd *cmd = parg;
|
||||
|
||||
if (cmd->msg_len > sizeof(cmd->msg)) {
|
||||
err = -EINVAL;
|
||||
break;
|
||||
}
|
||||
err = fe->ops.diseqc_send_master_cmd(fe, cmd);
|
||||
fepriv->state = FESTATE_DISEQC;
|
||||
fepriv->status = 0;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue