Hi,
[linux-distros list dropped as not anymore relevant for embargo]
On Wed, Sep 01, 2021 at 01:40:26PM +0300, Dan Carpenter wrote:
> On Mon, Aug 16, 2021 at 10:27:22AM +0300, Dan Carpenter wrote:
> > The bounds checking in avc_ca_pmt() is not strict enough. It should
> > be checking "read_pos + 4" because it's reading 5 bytes. If the
> > "es_info_length" is non-zero then it reads a 6th byte so there needs to
> > be an additional check for that.
> >
> > I also added checks for the "write_pos". I don't think these are
> > required because "read_pos" and "write_pos" are tied together so
> > checking one ought to be enough. But they make the code easier to
> > understand for me. The check on write_pos is:
> >
> > if (write_pos + 4 >= sizeof(c->operand) - 4) {
> >
> > The first "+ 4" is because we're writing 5 bytes and the last " - 4"
> > is to leave space for the CRC.
> >
> > The other problem is that "length" can be invalid. It comes from
> > "data_length" in fdtv_ca_pmt(). Added a check in fdtv_ca_pmt() to
> > prevent that.
> >
> > Cc: stable@xxxxxxxxxxxxxxx
> > Reported-by: Luo Likang <luolikang@xxxxxxxxxxx>
> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> > ---
> > RESEND: this patch got lost somehow.
> >
>
> What the heck? Someone on patchwork just marked this patch as obsolete
> again!!!
>
> Mauro can you figure out who's doing that and what's going on? The
> first time it was marked as obsolete then I asked about it twice, Greg
> asked about it, and Salvatore Bonaccorso asked about it. But all we
> get are anonymous notifications from patchwork. It's a bit frustrating.
Someone knows what is going on here, i.e. what is the problem?
Regards,
Salvatore
