[PATCH v3 07/12] [media] ddbridge: fix possible buffer overflow in ddb_ports_init()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel Scheller <d.scheller.oss@gmail.com>
To: linux-media@vger.kernel.org, mchehab@kernel.org,
	mchehab@s-opensource.com
Cc: r.scobie@clear.net.nz, jasmin@anw.at, d_spingler@freenet.de,
	Manfred.Knick@t-online.de, rjkm@metzlerbros.de
Subject: [PATCH v3 07/12] [media] ddbridge: fix possible buffer overflow in ddb_ports_init()
Date: Wed,  9 Aug 2017 22:31:23 +0200	[thread overview]
Message-ID: <20170809203128.31476-8-d.scheller.oss@gmail.com> (raw)
In-Reply-To: <20170809203128.31476-1-d.scheller.oss@gmail.com>

From: Daniel Scheller <d.scheller@gmx.net>

Report from smatch:

  drivers/media/pci/ddbridge/ddbridge-core.c:2659 ddb_ports_init() error: buffer overflow 'dev->port' 32 <= u32max

Fix by making sure "p" is greater than zero before checking for
"dev->port[].type == DDB_CI_EXTERNAL_XO2".

Cc: Ralph Metzler <rjkm@metzlerbros.de>
Signed-off-by: Daniel Scheller <d.scheller@gmx.net>
Tested-by: Richard Scobie <r.scobie@clear.net.nz>
Tested-by: Jasmin Jessich <jasmin@anw.at>
Tested-by: Dietmar Spingler <d_spingler@freenet.de>
Tested-by: Manfred Knick <Manfred.Knick@t-online.de>
---
 drivers/media/pci/ddbridge/ddbridge-core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/pci/ddbridge/ddbridge-core.c b/drivers/media/pci/ddbridge/ddbridge-core.c
index d01d54159008..2a4bb6ddf3a2 100644
--- a/drivers/media/pci/ddbridge/ddbridge-core.c
+++ b/drivers/media/pci/ddbridge/ddbridge-core.c
@@ -2551,7 +2551,7 @@ void ddb_ports_init(struct ddb *dev)
 			port->dvb[0].adap = &dev->adap[2 * p];
 			port->dvb[1].adap = &dev->adap[2 * p + 1];
 
-			if ((port->class == DDB_PORT_NONE) && i &&
+			if ((port->class == DDB_PORT_NONE) && i && p &&
 			    dev->port[p - 1].type == DDB_CI_EXTERNAL_XO2) {
 				port->class = DDB_PORT_CI;
 				port->type = DDB_CI_EXTERNAL_XO2_B;
-- 
2.13.0

next prev parent reply	other threads:[~2017-08-09 20:31 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-09 20:31 [PATCH v3 00/12] ddbridge: bump to ddbridge-0.9.29 Daniel Scheller
2017-08-09 20:31 ` [PATCH v3 01/12] [media] ddbridge: bump ddbridge code to version 0.9.29 Daniel Scheller
2017-08-09 20:31 ` [PATCH v3 02/12] [media] ddbridge: split I/O related functions off from ddbridge.h Daniel Scheller
2017-08-09 20:31 ` [PATCH v3 03/12] [media] ddbridge: split off IRQ handling Daniel Scheller
2017-08-09 20:31 ` [PATCH v3 04/12] [media] ddbridge: split off hardware definitions and mappings Daniel Scheller
2017-08-09 20:31 ` [PATCH v3 05/12] [media] ddbridge: check pointers before dereferencing Daniel Scheller
2017-08-09 20:31 ` [PATCH v3 06/12] [media] ddbridge: only register frontends in fe2 if fe is not NULL Daniel Scheller
2017-08-09 20:31 ` Daniel Scheller [this message]
2017-08-09 20:31 ` [PATCH v3 08/12] [media] ddbridge: remove unreachable code Daniel Scheller
2017-08-09 20:31 ` [PATCH v3 09/12] [media] ddbridge: fix impossible condition warning Daniel Scheller
2017-08-09 20:31 ` [PATCH v3 10/12] [media] ddbridge: fix dereference before check Daniel Scheller
2017-08-09 20:31 ` [PATCH v3 11/12] [media] ddbridge: Kconfig option to control the MSI modparam default Daniel Scheller
2017-08-09 20:31 ` [PATCH v3 12/12] [media] MAINTAINERS: add entry for ddbridge Daniel Scheller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d01d5415900 dfblob:2a4bb6ddf3a )
 OR (
bs:"[PATCH v3 07/12] [media] ddbridge: fix possible buffer overflow in ddb_ports_init()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170809203128.31476-8-d.scheller.oss@gmail.com \
    --to=d.scheller.oss@gmail.com \
    --cc=Manfred.Knick@t-online.de \
    --cc=d_spingler@freenet.de \
    --cc=jasmin@anw.at \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=mchehab@s-opensource.com \
    --cc=r.scobie@clear.net.nz \
    --cc=rjkm@metzlerbros.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.