[PATCH] media: ttusb-budget: validate DiSEqC msg_len before memcpy (CVE-2014-8884 style)

[PATCH] media: ttusb-budget: validate DiSEqC msg_len before memcpy (CVE-2014-8884 style)

[Kery Qi]

ttusb_send_diseqc() builds a fixed 12-byte stack buffer and copies
cmd->msg into it using cmd->msg_len without any bounds check. A crafted
(or buggy) msg_len can make memcpy() write past the end of the stack
buffer.

If this code path is reachable, a local user can trigger the issue via
the DVB frontend DiSEqC master command ioctl by supplying an oversized
msg_len.

Fix by rejecting cmd->msg_len values that do not fit into the remaining
space of the local buffer before calling memcpy(), mirroring the
defensive check used in the CVE-2014-8884 fix.

Although this appears to be dead/unreachable code today, keep it
hardened to avoid future regressions.

Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
 drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
index 9e016b71aa91..946c763281cf 100644
--- a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
+++ b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
@@ -456,7 +456,9 @@ static int ttusb_send_diseqc(struct dvb_frontend* fe,
 	b[4] = 0xFF;		/* send diseqc master, not burst */
 	b[5] = cmd->msg_len;
 
-	memcpy(b + 5, cmd->msg, cmd->msg_len);
+	if (cmd->msg_len > sizeof(b) - 6)
+		return -EINVAL;
+	memcpy(b + 6, cmd->msg, cmd->msg_len);
 
 	/* Diseqc */
 	if ((err = ttusb_cmd(ttusb, b, 4 + b[3], 0))) {
-- 
2.34.1