media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer - linux.git

diff options

author	Zhang Shurong	2023-05-07 15:52:47 +0100
committer	Mauro Carvalho Chehab	2023-05-14 06:30:03 +0100
commit	aa4a447b81b84f69c1a89ad899df157f386d7636 (patch)
tree	51a5b1024a8acbbfa51c448315b8c0d5c0051df7 /fs/minix
parent	dff919090155fb22679869e8469168f270dcd97f (diff)

media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer

In rtl28xxu_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach rtl28xxu_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Link: https://lore.kernel.org/linux-media/tencent_3623572106754AC2F266B316798B0F6CCA05@qq.com Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>

Diffstat (limited to 'fs/minix')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: