media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
stable inclusion from stable-v5.10.197 commit 97fdbdb750342cbc204befde976872fedb406ee6 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I96Q8P Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=97fdbdb750342cbc204befde976872fedb406ee6 -------------------------------- [ Upstream commit 5ae544d9 ] In dw2102_i2c_transfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach dw2102_i2c_transfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 950e252c ("[media] dw2102: limit messages to buffer size") Signed-off-by:Zhang Shurong <zhang_shurong@foxmail.com> Signed-off-by:
Loading
Please sign in to comment