On Mon, Aug 16, 2021 at 10:27:22AM +0300, Dan Carpenter wrote:
> The bounds checking in avc_ca_pmt() is not strict enough. It should
> be checking "read_pos + 4" because it's reading 5 bytes. If the
> "es_info_length" is non-zero then it reads a 6th byte so there needs to
> be an additional check for that.
>
> I also added checks for the "write_pos". I don't think these are
> required because "read_pos" and "write_pos" are tied together so
> checking one ought to be enough. But they make the code easier to
> understand for me. The check on write_pos is:
>
> if (write_pos + 4 >= sizeof(c->operand) - 4) {
>
> The first "+ 4" is because we're writing 5 bytes and the last " - 4"
> is to leave space for the CRC.
>
> The other problem is that "length" can be invalid. It comes from
> "data_length" in fdtv_ca_pmt(). Added a check in fdtv_ca_pmt() to
> prevent that.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: Luo Likang <luolikang@xxxxxxxxxxx>
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> RESEND: this patch got lost somehow.
>
What the heck? Someone on patchwork just marked this patch as obsolete
again!!!
Mauro can you figure out who's doing that and what's going on? The
first time it was marked as obsolete then I asked about it twice, Greg
asked about it, and Salvatore Bonaccorso asked about it. But all we
get are anonymous notifications from patchwork. It's a bit frustrating.
regards,
dan carpenter
