diff mbox series

media: az6007: fix out-of-bounds in az6007_i2c_xfer()

Message ID 20250421105555.34984-1-aha310510@gmail.com
State New
Headers show
Series media: az6007: fix out-of-bounds in az6007_i2c_xfer() | expand

Commit Message

Jeongjun Park April 21, 2025, 10:55 a.m. UTC 
According to the previous commit 1047f9343011 ("media: az6007: 
Fix null-ptr-deref in az6007_i2c_xfer()"), msgs[i].len is user-controlled.

In the previous commit, bounds checking was added because a null-ptr-deref 
bug occurs when msgs[i].buf and msgs[i].len are set to null. However, this 
leads to an out-of-bounds vuln for st->data when msgs[i].len is set to a 
large value.

Therefore, code to check the maximum value of msgs[i].len needs to be added.

Fixes: 1047f9343011 ("media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 drivers/media/usb/dvb-usb-v2/az6007.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--
diff mbox series

Patch

diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..fba1b6c08dc7 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -788,7 +788,7 @@  static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 			if (az6007_xfer_debug)
 				printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
 				       addr, msgs[i].len);
-			if (msgs[i].len < 1) {
+			if (msgs[i].len < 1 || msgs[i].len + 1 > sizeof(st->data)) {
 				ret = -EIO;
 				goto err;
 			}
@@ -806,7 +806,7 @@  static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 			if (az6007_xfer_debug)
 				printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
 				       addr, msgs[i].len);
-			if (msgs[i].len < 1) {
+			if (msgs[i].len < 1 || msgs[i].len + 5 > sizeof(st->data)) {
 				ret = -EIO;
 				goto err;
 			}