* re: V4L/DVB (8986): cx24116: Adding DVB-S2 demodulator support
@ 2013-02-05 19:00 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2013-02-05 19:00 UTC (permalink / raw)
To: stoth; +Cc: linux-media
Hello Steven Toth,
The patch 0d46748c3f87: "V4L/DVB (8986): cx24116: Adding DVB-S2
demodulator support" from Sep 4, 2008, leads to the following warning:
"drivers/media/dvb-frontends/cx24116.c:983 cx24116_send_diseqc_msg()
error: buffer overflow 'd->msg' 6 <= 23"
drivers/media/dvb-frontends/cx24116.c
977 /* Validate length */
978 if (d->msg_len > (CX24116_ARGLEN - CX24116_DISEQC_MSGOFS))
979 return -EINVAL;
980
981 /* DiSEqC message */
982 for (i = 0; i < d->msg_len; i++)
983 state->dsec_cmd.args[CX24116_DISEQC_MSGOFS + i] = d->msg[i];
984
The state->dsec_cmd.args[] array has 30 elements. The d->msg[] array
has only 6 elements. We check that we don't write past the end of the
bigger array, but we could read past the end of the smaller array.
d->msg_len comes from the user.
I don't know if this can result in an information leak?
It's weird that we're copying bogus data into the state->dsec_cmd.args[]
array.
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-02-05 19:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-05 19:00 V4L/DVB (8986): cx24116: Adding DVB-S2 demodulator support Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox