Commit a24e6348 authored by Colin Ian King's avatar Colin Ian King Committed by Mauro Carvalho Chehab

media: dvb_ca_en50221: sanity check slot number from userspace

Currently a user can pass in an unsanitized slot number which
will lead to and out of range index into ca->slot_info. Fix this
by checking that the slot number is no more than the allowed
maximum number of slots. Seems that this bug has been in the driver
forever.

Detected by CoverityScan, CID#139381 ("Untrusted pointer read")
Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarJasmin Jessich <jasmin@anw.at>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
parent 3ee6229f
...@@ -1473,6 +1473,9 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file, ...@@ -1473,6 +1473,9 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
return -EFAULT; return -EFAULT;
buf += 2; buf += 2;
count -= 2; count -= 2;
if (slot >= ca->slot_count)
return -EINVAL;
sl = &ca->slot_info[slot]; sl = &ca->slot_info[slot];
/* check if the slot is actually running */ /* check if the slot is actually running */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment