On Mon 2021-06-07 18:23:48, Dan Carpenter wrote:
> The bounds checking in avc_ca_pmt() is not strict enough. It should
> be checking "read_pos + 4" because it's reading 5 bytes. If the
> "es_info_length" is non-zero then it reads a 6th byte so there needs to
> be an additional check for that.
>
> I also added checks for the "write_pos". I don't think these are
> required because "read_pos" and "write_pos" are tied together so
> checking one ought to be enough. But they make the code easier to
> understand for me. The check on write_pos is:
>
> if (write_pos + 4 >= sizeof(c->operand) - 4) {
>
> The first "+ 4" is because we're writing 5 bytes and the last " - 4"
> is to leave space for the CRC.
>
> The other problem is that "length" can be invalid. It comes from
> "data_length" in fdtv_ca_pmt().
>
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: Luo Likang <luolikang@xxxxxxxxxxx>
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
I do not see this fix in 5.14-rc1. Has it been solved another
way in the end, please?
Best Regards,
Petr
