[media] rc: divide by zero bugs in s_tx_carrier()

"carrier" comes from a get_user() in ir_lirc_ioctl().  We need to test
that it's not zero before using it as a divisor.  It might have been
nice to test for this ir_lirc_ioctl() but the mceusb driver uses zero to
disable carrier modulation.
The bug in redrat3 is a little more subtle.  The ->carrier is passed to
mod_freq_to_val() which uses it as a divisor.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

diff --git a/drivers/media/rc/ene_ir.c b/drivers/media/rc/ene_ir.c
index 647dd95..d05ac15 100644 (file)
--- a/drivers/media/rc/ene_ir.c
+++ b/drivers/media/rc/ene_ir.c
@@ -881,10 +881,13 @@ static int ene_set_tx_mask(struct rc_dev *rdev, u32 tx_mask)
 static int ene_set_tx_carrier(struct rc_dev *rdev, u32 carrier)
 {
        struct ene_device *dev = rdev->priv;
-       u32 period = 2000000 / carrier;
+       u32 period;
 
        dbg("TX: attempt to set tx carrier to %d kHz", carrier);
+       if (carrier == 0)
+               return -EINVAL;
 
+       period = 2000000 / carrier;
        if (period && (period > ENE_CIRMOD_PRD_MAX ||
                        period < ENE_CIRMOD_PRD_MIN)) {
 

diff --git a/drivers/media/rc/nuvoton-cir.c b/drivers/media/rc/nuvoton-cir.c
index 699eef3..2ea913a 100644 (file)
--- a/drivers/media/rc/nuvoton-cir.c
+++ b/drivers/media/rc/nuvoton-cir.c
@@ -517,6 +517,9 @@ static int nvt_set_tx_carrier(struct rc_dev *dev, u32 carrier)
        struct nvt_dev *nvt = dev->priv;
        u16 val;
 
+       if (carrier == 0)
+               return -EINVAL;
+
        nvt_cir_reg_write(nvt, 1, CIR_CP);
        val = 3000000 / (carrier) - 1;
        nvt_cir_reg_write(nvt, val & 0xff, CIR_CC);

diff --git a/drivers/media/rc/redrat3.c b/drivers/media/rc/redrat3.c
index 49731b1..9f5a17b 100644 (file)
--- a/drivers/media/rc/redrat3.c
+++ b/drivers/media/rc/redrat3.c
@@ -890,6 +890,9 @@ static int redrat3_set_tx_carrier(struct rc_dev *rcdev, u32 carrier)
        struct device *dev = rr3->dev;
 
        rr3_dbg(dev, "Setting modulation frequency to %u", carrier);
+       if (carrier == 0)
+               return -EINVAL;
+
        rr3->carrier = carrier;
 
        return carrier;