diff options
| author |   Dan Carpenter <dan.carpenter@oracle.com> | 2013-02-07 04:24:49 -0300 |
|---|---|---|
| committer |   Mauro Carvalho Chehab <mchehab@redhat.com> | 2013-02-08 17:29:52 -0200 |
| commit | bf5bbed15c41228ea1abbb8d3931050922bfc37f (patch) | |
| tree | 84e9db5c9d1e57a42ccbcb7ffaaefb8d0ee1f025 /drivers/media | |
| parent | [media] s5p-tv: Include missing platform_device.h header (diff) | |
| download | linux-dev-bf5bbed15c41228ea1abbb8d3931050922bfc37f.tar.xz linux-dev-bf5bbed15c41228ea1abbb8d3931050922bfc37f.zip | |
[media] dvb-usb: check for invalid length in ttusb_process_muxpack()
This patch is driven by a static checker warning.
The ttusb_process_muxpack() function is only called from
ttusb_process_frame(). Before calling, it verifies that len >= 2. The
problem is that len == 2 is not valid and would lead to an array
underflow.
Odd number values for len are also invalid and would lead to reading
past the end of the array.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'drivers/media')
| -rw-r--r-- | drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c index 5b682cc4c814..e40718552850 100644 --- a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c +++ b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c @@ -561,6 +561,13 @@ static void ttusb_process_muxpack(struct ttusb *ttusb, const u8 * muxpack, { u16 csum = 0, cc; int i; + + if (len < 4 || len & 0x1) { + pr_warn("%s: muxpack has invalid len %d\n", __func__, len); + numinvalid++; + return; + } + for (i = 0; i < len; i += 2) csum ^= le16_to_cpup((__le16 *) (muxpack + i)); if (csum) { |