[media] dvb-usb: check for invalid length in ttusb_process_muxpack()

This patch is driven by a static checker warning. The ttusb_process_muxpack() function is only called from ttusb_process_frame(). Before calling, it verifies that len >= 2. The problem is that len == 2 is not valid and would lead to an array underflow. Odd number values for len are also invalid and would lead to reading past the end of the array. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
author: Dan Carpenter <dan.carpenter@oracle.com> 2013-02-07 04:24:49 -0300
committer: Mauro Carvalho Chehab <mchehab@redhat.com> 2013-02-08 17:29:52 -0200
commit: bf5bbed15c41228ea1abbb8d3931050922bfc37f (patch)
tree: 84e9db5c9d1e57a42ccbcb7ffaaefb8d0ee1f025 /drivers/media
parent: 3e58ac14ad2c443d86c5bed0137a010fe4d16fe2 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
index 5b682cc4c81..e4071855285 100644
--- a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
+++ b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
@@ -561,6 +561,13 @@ static void ttusb_process_muxpack(struct ttusb *ttusb, const u8 * muxpack,
 {
 	u16 csum = 0, cc;
 	int i;
+
+	if (len < 4 || len & 0x1) {
+		pr_warn("%s: muxpack has invalid len %d\n", __func__, len);
+		numinvalid++;
+		return;
+	}
+
 	for (i = 0; i < len; i += 2)
 		csum ^= le16_to_cpup((__le16 *) (muxpack + i));
 	if (csum) {
author	Dan Carpenter <dan.carpenter@oracle.com>	2013-02-07 04:24:49 -0300
committer	Mauro Carvalho Chehab <mchehab@redhat.com>	2013-02-08 17:29:52 -0200
commit	bf5bbed15c41228ea1abbb8d3931050922bfc37f (patch)
tree	84e9db5c9d1e57a42ccbcb7ffaaefb8d0ee1f025 /drivers/media
parent	3e58ac14ad2c443d86c5bed0137a010fe4d16fe2 (diff)