Message ID | 20170920221959.5979-1-colin.king@canonical.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Looks good.
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
regards,
dan carpenter
Good catch! > Seems that this bug has been in the driver forever. Indeed ... and I overlooked it during my recent changes to that module. Reviewed-by: Jasmin Jessich <jasmin@anw.at> BR, Jasmin
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c index 95b3723282f4..e3a92b529dba 100644 --- a/drivers/media/dvb-core/dvb_ca_en50221.c +++ b/drivers/media/dvb-core/dvb_ca_en50221.c @@ -1474,6 +1474,9 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file, return -EFAULT; buf += 2; count -= 2; + + if (slot >= ca->slot_count) + return -EINVAL; sl = &ca->slot_info[slot]; /* check if the slot is actually running */