This is an automatic generated email to let you know that the following patch were queued at the http://git.linuxtv.org/media_tree.git tree:
Subject: [media] dvb-usb: check for invalid length in ttusb_process_muxpack() Author: Dan Carpenter <dan.carpen...@oracle.com> Date: Thu Feb 7 04:24:49 2013 -0300 This patch is driven by a static checker warning. The ttusb_process_muxpack() function is only called from ttusb_process_frame(). Before calling, it verifies that len >= 2. The problem is that len == 2 is not valid and would lead to an array underflow. Odd number values for len are also invalid and would lead to reading past the end of the array. Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mche...@redhat.com> drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) --- http://git.linuxtv.org/media_tree.git?a=commitdiff;h=bf5bbed15c41228ea1abbb8d3931050922bfc37f diff --git a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c index 5b682cc..e407185 100644 --- a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c +++ b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c @@ -561,6 +561,13 @@ static void ttusb_process_muxpack(struct ttusb *ttusb, const u8 * muxpack, { u16 csum = 0, cc; int i; + + if (len < 4 || len & 0x1) { + pr_warn("%s: muxpack has invalid len %d\n", __func__, len); + numinvalid++; + return; + } + for (i = 0; i < len; i += 2) csum ^= le16_to_cpup((__le16 *) (muxpack + i)); if (csum) { _______________________________________________ linuxtv-commits mailing list linuxtv-commits@linuxtv.org http://www.linuxtv.org/cgi-bin/mailman/listinfo/linuxtv-commits
