Hello Steven Toth,
The patch 0d46748c3f87: "V4L/DVB (8986): cx24116: Adding DVB-S2
demodulator support" from Sep 4, 2008, leads to the following warning:
"drivers/media/dvb-frontends/cx24116.c:983 cx24116_send_diseqc_msg()
error: buffer overflow 'd->msg' 6 <= 23"
drivers/media/dvb-frontends/cx24116.c
977 /* Validate length */
978 if (d->msg_len > (CX24116_ARGLEN - CX24116_DISEQC_MSGOFS))
979 return -EINVAL;
980
981 /* DiSEqC message */
982 for (i = 0; i < d->msg_len; i++)
983 state->dsec_cmd.args[CX24116_DISEQC_MSGOFS + i] =
d->msg[i];
984
The state->dsec_cmd.args[] array has 30 elements. The d->msg[] array
has only 6 elements. We check that we don't write past the end of the
bigger array, but we could read past the end of the smaller array.
d->msg_len comes from the user.
I don't know if this can result in an information leak?
It's weird that we're copying bogus data into the state->dsec_cmd.args[]
array.
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
