| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250621155219.517909-1-alexguo1023@gmail.com>
Date: Sat, 21 Jun 2025 11:52:19 -0400
From: Alex Guo <alexguo1023@...il.com>
To: mchehab@...nel.org
Cc: alexguo1023@...il.com,
hverkuil@...all.nl,
linux-media@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer
msg is controlled by user. If accessing msg.buf without sanity
check, null pointer deref would happen. Although there are some
existing checks on msg.len, they do not cover all buffer access
points. Therefore, we add an additional check on msg.len to
prevent potential crashes.
Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027:
fix null-ptr-deref in az6027_i2c_xfer()")
Signed-off-by: Alex Guo <alexguo1023@...il.com>
---
drivers/media/usb/dvb-usb-v2/ce6230.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/usb/dvb-usb-v2/ce6230.c b/drivers/media/usb/dvb-usb-v2/ce6230.c
index 7ebaf3ee4491..6490003f5a85 100644
--- a/drivers/media/usb/dvb-usb-v2/ce6230.c
+++ b/drivers/media/usb/dvb-usb-v2/ce6230.c
@@ -101,7 +101,7 @@ static int ce6230_i2c_master_xfer(struct i2c_adapter *adap,
if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) {
if (msg[i].addr ==
ce6230_zl10353_config.demod_address) {
- if (msg[i].len < 1) {
+ if (msg[i].len < 1 || msg[i+1].len < 1) {
i = -EOPNOTSUPP;
break;
}
--
2.34.1
Powered by blists - more mailing lists