media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()

rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln. Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353") Cc: stable@vger.kernel.org Signed-off-by: Jeongjun Park <aha310510@gmail.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
author: Jeongjun Park <aha310510@gmail.com> 2025-04-21 21:52:44 +0900
committer: Hans Verkuil <hverkuil+cisco@kernel.org> 2025-10-14 15:07:36 +0200
commit: b91e6aafe8d356086cc621bc03e35ba2299e4788 (patch)
tree: 2d7a41f3781b39f49a6053a1365611ffa290d58f /drivers
parent: 3a8660878839faadb4f1a6dd72c3179c1df56787 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/media/usb/dvb-usb/dtv5100.c b/drivers/media/usb/dvb-usb/dtv5100.c
index 3d85c6f7f6ec..c448e2ebda1a 100644
--- a/drivers/media/usb/dvb-usb/dtv5100.c
+++ b/drivers/media/usb/dvb-usb/dtv5100.c
@@ -55,6 +55,11 @@ static int dtv5100_i2c_msg(struct dvb_usb_device *d, u8 addr,
 	}
 	index = (addr << 8) + wbuf[0];
 
+	if (rlen > sizeof(st->data)) {
+		warn("rlen = %x is too big!\n", rlen);
+		return -EINVAL;
+	}
+
 	memcpy(st->data, rbuf, rlen);
 	msleep(1); /* avoid I2C errors */
 	return usb_control_msg(d->udev, pipe, request,
author	Jeongjun Park <aha310510@gmail.com>	2025-04-21 21:52:44 +0900
committer	Hans Verkuil <hverkuil+cisco@kernel.org>	2025-10-14 15:07:36 +0200
commit	b91e6aafe8d356086cc621bc03e35ba2299e4788 (patch)
tree	2d7a41f3781b39f49a6053a1365611ffa290d58f /drivers
parent	3a8660878839faadb4f1a6dd72c3179c1df56787 (diff)