diff mbox

[Lucid,Precise,CVE-2014-8884,media] ttusb-dec: buffer overflow in ioctl

Message ID 1416831371-3953-1-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques Nov. 24, 2014, 12:16 p.m. UTC 
From: Dan Carpenter <dan.carpenter@oracle.com>

We need to add a limit check here so we don't overflow the buffer.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
(backported from commit f2e323ec96077642d397bb1c355def536d489d16)
CVE-2014-8884
BugLink: http://bugs.launchpad.net/bugs/1395187
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 drivers/media/dvb/ttusb-dec/ttusbdecfe.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Andy Whitcroft Nov. 24, 2014, 12:53 p.m. UTC | #1 
On Mon, Nov 24, 2014 at 12:16:11PM +0000, Luis Henriques wrote:
> From: Dan Carpenter <dan.carpenter@oracle.com>
> 
> We need to add a limit check here so we don't overflow the buffer.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
> (backported from commit f2e323ec96077642d397bb1c355def536d489d16)
> CVE-2014-8884
> BugLink: http://bugs.launchpad.net/bugs/1395187
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>  drivers/media/dvb/ttusb-dec/ttusbdecfe.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
> index 21260aad1e54..852870b80df3 100644
> --- a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
> +++ b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
> @@ -154,6 +154,9 @@ static int ttusbdecfe_dvbs_diseqc_send_master_cmd(struct dvb_frontend* fe, struc
>  		   0x00, 0x00, 0x00, 0x00,
>  		   0x00, 0x00 };
>  
> +	if (cmd->msg_len > sizeof(b) - 4)
> +		return -EINVAL;
> +
>  	memcpy(&b[4], cmd->msg, cmd->msg_len);
>  
>  	state->config->send_command(fe, 0x72,


Looks identicle to the original, simple, looks to do what is claimed,
therefore:

Acked-by: Andy Whitcroft <apw@canonical.com>

-apw
Stefan Bader Nov. 24, 2014, 1:03 p.m. UTC | #2
Andy Whitcroft Nov. 24, 2014, 1:25 p.m. UTC | #3 
Applied to Lucid and Precise.

-apw
diff mbox

Patch

diff --git a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
index 21260aad1e54..852870b80df3 100644
--- a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
+++ b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
@@ -154,6 +154,9 @@  static int ttusbdecfe_dvbs_diseqc_send_master_cmd(struct dvb_frontend* fe, struc
 		   0x00, 0x00, 0x00, 0x00,
 		   0x00, 0x00 };
 
+	if (cmd->msg_len > sizeof(b) - 4)
+		return -EINVAL;
+
 	memcpy(&b[4], cmd->msg, cmd->msg_len);
 
 	state->config->send_command(fe, 0x72,