Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S965267AbbHDPHN (ORCPT <rfc822;w@1wt.eu>);
	Tue, 4 Aug 2015 11:07:13 -0400
Received: from mx2.suse.de ([195.135.220.15]:58899 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1756688AbbHDOlf (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 4 Aug 2015 10:41:35 -0400
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References"
From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
        Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
        Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 3.12 052/123] s5h1420: fix a buffer overflow when checking userspace params
Date: Tue,  4 Aug 2015 16:39:56 +0200
Message-Id: <711a73537338d74e076eb59873815330ddb34a07.1438699154.git.jslaby@suse.cz>
X-Mailer: git-send-email 2.5.0
In-Reply-To: <fe2a2e06fd8af3a00d18691ffeb2b636f685bee4.1438699154.git.jslaby@suse.cz>
References: <fe2a2e06fd8af3a00d18691ffeb2b636f685bee4.1438699154.git.jslaby@suse.cz>
In-Reply-To: <cover.1438699154.git.jslaby@suse.cz>
References: <cover.1438699154.git.jslaby@suse.cz>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1370
Lines: 39

From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 12f4543f5d6811f864e6c4952eb27253c7466c02 upstream.

The maximum size for a DiSEqC command is 6, according to the
userspace API. However, the code allows to write up to 7 values:
	drivers/media/dvb-frontends/s5h1420.c:193 s5h1420_send_master_cmd() error: buffer overflow 'cmd->msg' 6 <= 7

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/media/dvb-frontends/s5h1420.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/dvb-frontends/s5h1420.c b/drivers/media/dvb-frontends/s5h1420.c
index 93eeaf7118fd..0b4f8fe6bf99 100644
--- a/drivers/media/dvb-frontends/s5h1420.c
+++ b/drivers/media/dvb-frontends/s5h1420.c
@@ -180,7 +180,7 @@ static int s5h1420_send_master_cmd (struct dvb_frontend* fe,
 	int result = 0;
 
 	dprintk("enter %s\n", __func__);
-	if (cmd->msg_len > 8)
+	if (cmd->msg_len > sizeof(cmd->msg))
 		return -EINVAL;
 
 	/* setup for DISEQC */
-- 
2.5.0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/