From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Date: Tue, 28 Apr 2015 21:34:40 +0000 (-0300)
Subject: s5h1420: fix a buffer overflow when checking userspace params
X-Git-Tag: v2.6.32.68~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55e780c13d7c2a1ba5c31af81334b0fb40a77fca;p=thirdparty%2Fkernel%2Fstable.git

s5h1420: fix a buffer overflow when checking userspace params

commit 12f4543f5d6811f864e6c4952eb27253c7466c02 upstream.

The maximum size for a DiSEqC command is 6, according to the
userspace API. However, the code allows to write up to 7 values:
	drivers/media/dvb-frontends/s5h1420.c:193 s5h1420_send_master_cmd() error: buffer overflow 'cmd->msg' 6 <= 7

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
(cherry picked from commit 4bf124b5f179a9c169c57ef7cd3a74f239063ed1)

Signed-off-by: Willy Tarreau <w@1wt.eu>
---

diff --git a/drivers/media/dvb/frontends/s5h1420.c b/drivers/media/dvb/frontends/s5h1420.c
index 2e9fd2893ede8..6134578ae3927 100644
--- a/drivers/media/dvb/frontends/s5h1420.c
+++ b/drivers/media/dvb/frontends/s5h1420.c
@@ -180,7 +180,7 @@ static int s5h1420_send_master_cmd (struct dvb_frontend* fe,
 	int result = 0;
 
 	dprintk("enter %s\n", __func__);
-	if (cmd->msg_len > 8)
+	if (cmd->msg_len > sizeof(cmd->msg))
 		return -EINVAL;
 
 	/* setup for DISEQC */