* re: V4L/DVB (8986): cx24116: Adding DVB-S2 demodulator support
@ 2013-02-05 19:00 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2013-02-05 19:00 UTC (permalink / raw)
To: stoth; +Cc: linux-media
Hello Steven Toth,
The patch 0d46748c3f87: "V4L/DVB (8986): cx24116: Adding DVB-S2
demodulator support" from Sep 4, 2008, leads to the following warning:
"drivers/media/dvb-frontends/cx24116.c:983 cx24116_send_diseqc_msg()
error: buffer overflow 'd->msg' 6 <= 23"
drivers/media/dvb-frontends/cx24116.c
977 /* Validate length */
978 if (d->msg_len > (CX24116_ARGLEN - CX24116_DISEQC_MSGOFS))
979 return -EINVAL;
980
981 /* DiSEqC message */
982 for (i = 0; i < d->msg_len; i++)
983 state->dsec_cmd.args[CX24116_DISEQC_MSGOFS + i] = d->msg[i];
984
The state->dsec_cmd.args[] array has 30 elements. The d->msg[] array
has only 6 elements. We check that we don't write past the end of the
bigger array, but we could read past the end of the smaller array.
d->msg_len comes from the user.
I don't know if this can result in an information leak?
It's weird that we're copying bogus data into the state->dsec_cmd.args[]
array.
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-02-05 19:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-05 19:00 V4L/DVB (8986): cx24116: Adding DVB-S2 demodulator support Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.