projects / platform / kernel / linux-starfive.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8914ae0) | patch
media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
authorWei Chen <harperchen1110@gmail.com>
Fri, 10 Mar 2023 16:56:04 +0000 (16:56 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 9 Jun 2023 08:34:11 +0000 (10:34 +0200)
commit1027c8c068f070ce8773ffbd2b897e2baf4b5b6e
treeceffa07dcb6375d07b2ccfcf52b1171776e7efbatree | snapshot
parent8914ae00db45ce3af541ddc3bc5303719ca0ea13commit | diff
media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()

[ Upstream commit 858e97d7956d17a2cb56a9413468704a4d5abfe1 ]

In az6027_i2c_xfer, msg is controlled by user. When msg[i].buf is null,
commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in
az6027_i2c_xfer()") fix the null-ptr-deref bug when msg[i].addr is 0x99.
However, null-ptr-deref also happens when msg[i].addr is 0xd0 and 0xc0.
We add check on msg[i].len to prevent null-ptr-deref.

Link: https://lore.kernel.org/linux-media/20230310165604.3093483-1-harperchen1110@gmail.com
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/media/usb/dvb-usb/az6027.c diff | blob | history
Domain: System / Kernel;