This updated patch also fixes out of bound access to b[]. In dib9000_risc_apb_access_write() an out of bound access to mb[]. The current test to avoid out of bound access to mb[] is insufficient. For len = 19 non-existent mb[10] will be accessed. For odd values of len b[] is accessed out of bounds. For large values of len an of bound access to mb[] may occur in dib9000_mbx_send_attr. Signed-off-by: Heinrich Schuchardt <xypron.glpk@xxxxxx> --- drivers/media/dvb-frontends/dib9000.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/media/dvb-frontends/dib9000.c b/drivers/media/dvb-frontends/dib9000.c index e540cfb..f75dec4 100644 --- a/drivers/media/dvb-frontends/dib9000.c +++ b/drivers/media/dvb-frontends/dib9000.c @@ -1040,13 +1040,18 @@ static int dib9000_risc_apb_access_write(struct dib9000_state *state, u32 addres if (address >= 1024 || !state->platform.risc.fw_is_running) return -EINVAL; + if (len > 18) + return -EINVAL; + /* dprintk( "APB access thru wr fw %d %x", address, attribute); */ - mb[0] = (unsigned short)address; - for (i = 0; i < len && i < 20; i += 2) - mb[1 + (i / 2)] = (b[i] << 8 | b[i + 1]); + mb[0] = (u16)address; + for (i = 0; i + 1 < len; i += 2) + mb[1 + i / 2] = b[i] << 8 | b[i + 1]; + if (len & 1) + mb[1 + len / 2] = b[len - 1] << 8; - dib9000_mbx_send_attr(state, OUT_MSG_BRIDGE_APB_W, mb, 1 + len / 2, attribute); + dib9000_mbx_send_attr(state, OUT_MSG_BRIDGE_APB_W, mb, (3 + len) / 2, attribute); return dib9000_mbx_get_message_attr(state, IN_MSG_END_BRIDGE_APB_RW, mb, &s, attribute) == 1 ? 0 : -EINVAL; } -- 2.0.0 -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html