The current test to avoid out of bound access to mb[] is insufficient. For len = 19 non-existent mb[10] will be accessed. A check in the for loop is insufficient to avoid out of bound access in dib9000_mbx_send_attr. Signed-off-by: Heinrich Schuchardt <xypron.glpk@xxxxxx> --- drivers/media/dvb-frontends/dib9000.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/media/dvb-frontends/dib9000.c b/drivers/media/dvb-frontends/dib9000.c index e540cfb..6a71917 100644 --- a/drivers/media/dvb-frontends/dib9000.c +++ b/drivers/media/dvb-frontends/dib9000.c @@ -1040,10 +1040,13 @@ static int dib9000_risc_apb_access_write(struct dib9000_state *state, u32 addres if (address >= 1024 || !state->platform.risc.fw_is_running) return -EINVAL; + if (len > 18) + return -EINVAL; + /* dprintk( "APB access thru wr fw %d %x", address, attribute); */ mb[0] = (unsigned short)address; - for (i = 0; i < len && i < 20; i += 2) + for (i = 0; i < len; i += 2) mb[1 + (i / 2)] = (b[i] << 8 | b[i + 1]); dib9000_mbx_send_attr(state, OUT_MSG_BRIDGE_APB_W, mb, 1 + len / 2, attribute); -- 2.0.0 -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html