Skip to content

Commit aa4a447

Browse files
ZhangShurongmchehab
ZhangShurong
authored and
mchehab
committed
media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer
In rtl28xxu_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach rtl28xxu_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554f ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Link: https://lore.kernel.org/linux-media/[email protected] Signed-off-by: Zhang Shurong <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]>
1 parent dff9190 commit aa4a447

File tree

1 file changed

+20
-0
lines changed

1 file changed

+20
-0
lines changed

drivers/media/usb/dvb-usb-v2/rtl28xxu.c

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -176,6 +176,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
176176
ret = -EOPNOTSUPP;
177177
goto err_mutex_unlock;
178178
} else if (msg[0].addr == 0x10) {
179+
if (msg[0].len < 1 || msg[1].len < 1) {
180+
ret = -EOPNOTSUPP;
181+
goto err_mutex_unlock;
182+
}
179183
/* method 1 - integrated demod */
180184
if (msg[0].buf[0] == 0x00) {
181185
/* return demod page from driver cache */
@@ -189,6 +193,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
189193
ret = rtl28xxu_ctrl_msg(d, &req);
190194
}
191195
} else if (msg[0].len < 2) {
196+
if (msg[0].len < 1) {
197+
ret = -EOPNOTSUPP;
198+
goto err_mutex_unlock;
199+
}
192200
/* method 2 - old I2C */
193201
req.value = (msg[0].buf[0] << 8) | (msg[0].addr << 1);
194202
req.index = CMD_I2C_RD;
@@ -217,8 +225,16 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
217225
ret = -EOPNOTSUPP;
218226
goto err_mutex_unlock;
219227
} else if (msg[0].addr == 0x10) {
228+
if (msg[0].len < 1) {
229+
ret = -EOPNOTSUPP;
230+
goto err_mutex_unlock;
231+
}
220232
/* method 1 - integrated demod */
221233
if (msg[0].buf[0] == 0x00) {
234+
if (msg[0].len < 2) {
235+
ret = -EOPNOTSUPP;
236+
goto err_mutex_unlock;
237+
}
222238
/* save demod page for later demod access */
223239
dev->page = msg[0].buf[1];
224240
ret = 0;
@@ -231,6 +247,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
231247
ret = rtl28xxu_ctrl_msg(d, &req);
232248
}
233249
} else if ((msg[0].len < 23) && (!dev->new_i2c_write)) {
250+
if (msg[0].len < 1) {
251+
ret = -EOPNOTSUPP;
252+
goto err_mutex_unlock;
253+
}
234254
/* method 2 - old I2C */
235255
req.value = (msg[0].buf[0] << 8) | (msg[0].addr << 1);
236256
req.index = CMD_I2C_WR;

0 commit comments

Comments
 (0)