Commit cec43d5a authored by Zhang Shurong's avatar Zhang Shurong Committed by sanglipeng
Browse files

media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer 

stable inclusion
from stable-v5.10.183
commit 7945c13c9b7fd7cc0725e6a8cd30480b08eed858
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8IRR2

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7945c13c9b7fd7cc0725e6a8cd30480b08eed858

--------------------------------

[ Upstream commit aa4a447b ]

In rtl28xxu_i2c_xfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach rtl28xxu_i2c_xfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen.
We add check on msg[i].len to prevent crash.

Similar commit:
commit 0ed554fd
("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")

Link: https://lore.kernel.org/linux-media/tencent_3623572106754AC2F266B316798B0F6CCA05@qq.com


Signed-off-by: default avatarZhang Shurong <zhang_shurong@foxmail.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarsanglipeng <sanglipeng1@jd.com>
parent 8d95ca4e
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment