[media] dvb-usb: check for invalid length in ttusb_process_muxpack()

This patch is driven by a static checker warning. The ttusb_process_muxpack() function is only called from ttusb_process_frame(). Before calling, it verifies that len >= 2. The problem is that len == 2 is not valid and would lead to an array underflow. Odd number values for len are also invalid and would lead to reading past the end of the array. Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Mauro Carvalho Chehab <mchehab@redhat.com>

[media] dvb-usb: check for invalid length in ttusb_process_muxpack()
This patch is driven by a static checker warning. The ttusb_process_muxpack() function is only called from ttusb_process_frame(). Before calling, it verifies that len >= 2. The problem is that len == 2 is not valid and would lead to an array underflow. Odd number values for len are also invalid and would lead to reading past the end of the array. Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Mauro Carvalho Chehab <mchehab@redhat.com>
bf5bbed1 · Dan Carpenter · Mauro Carvalho Chehab · 3e58ac14 · bf5bbed1
隐藏空白更改
内联并排

Showing with 7 addition and 0 deletion

drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c +7 -0

未找到文件。
--- a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
+++ b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
@@ -561,6 +561,13 @@ static void ttusb_process_muxpack(struct ttusb *ttusb, const u8 * muxpack,
 {
 	u16 csum = 0, cc;
 	int i;
+
+	if (len < 4 || len & 0x1) {
+		pr_warn("%s: muxpack has invalid len %d\n", __func__, len);
+		numinvalid++;
+		return;
+	}
+
 	for (i = 0; i < len; i += 2)
 		csum ^= le16_to_cpup((__le16 *) (muxpack + i));
 	if (csum) {