media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
stable inclusion from stable-v5.10.197 commit a9def3e9718a4dc756f48db147d42ec41a966240 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I96Q8P Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a9def3e9718a4dc756f48db147d42ec41a966240 -------------------------------- [ Upstream commit 1047f934 ] In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach az6007_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by:Zhang Shurong <zhang_shurong@foxmail.com> Signed-off-by:
Loading
Please sign in to comment