From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Date: Tue, 28 Apr 2015 22:03:59 +0000 (-0300)
Subject: [media] cx24117: fix a buffer overflow when checking userspace params
X-Git-Tag: firefly_0821_release~176^2~795^2~956
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=82e3b88b679049f043fe9b03991d6d66fc0a43c8;p=firefly-linux-kernel-4.4.55.git

[media] cx24117: fix a buffer overflow when checking userspace params

The maximum size for a DiSEqC command is 6, according to the
userspace API. However, the code allows to write up much more values:
	drivers/media/dvb-frontends/cx24116.c:983 cx24116_send_diseqc_msg() error: buffer overflow 'd->msg' 6 <= 23

Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---

diff --git a/drivers/media/dvb-frontends/cx24117.c b/drivers/media/dvb-frontends/cx24117.c
index acb965ce0358..af6363573efd 100644
--- a/drivers/media/dvb-frontends/cx24117.c
+++ b/drivers/media/dvb-frontends/cx24117.c
@@ -1043,7 +1043,7 @@ static int cx24117_send_diseqc_msg(struct dvb_frontend *fe,
 	dev_dbg(&state->priv->i2c->dev, ")\n");
 
 	/* Validate length */
-	if (d->msg_len > 15)
+	if (d->msg_len > sizeof(d->msg))
 		return -EINVAL;
 
 	/* DiSEqC message */