Commit 3d932ee2 authored by Malcolm Priestley's avatar Malcolm Priestley Committed by Mauro Carvalho Chehab
Browse files

media: dvb-usb-v2: lmedm04: Improve logic checking of warm start 



Warm start has no check as whether a genuine device has
connected and proceeds to next execution path.

Check device should read 0x47 at offset of 2 on USB descriptor read
and it is the amount requested of 6 bytes.

Fix for
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access as

Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarMalcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
parent 1e6f57b2

drivers/media/usb/dvb-usb-v2/lmedm04.c

+18 −8
Original line number Diff line number Diff line
@@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid, 


static int lme2510_return_status(struct dvb_usb_device *d)

{

	int ret = 0;

	int ret;

	u8 *data;



	data = kzalloc(10, GFP_KERNEL);

	data = kzalloc(6, GFP_KERNEL);

	if (!data)

		return -ENOMEM;



	ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),

			0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);

	info("Firmware Status: %x (%x)", ret , data[2]);

	ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),

			      0x06, 0x80, 0x0302, 0x00,

			      data, 0x6, 200);

	if (ret != 6)

		ret = -EINVAL;

	else

		ret = data[2];



	info("Firmware Status: %6ph", data);



	ret = (ret < 0) ? -ENODEV : data[2];

	kfree(data);

	return ret;

}
@@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d) 
static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)

{

	struct lme2510_state *st = d->priv;

	int status;



	usb_reset_configuration(d->udev);
@@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name) 


	st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;



	if (lme2510_return_status(d) == 0x44) {

	status = lme2510_return_status(d);

	if (status == 0x44) {

		*name = lme_firmware_switch(d, 0);

		return COLD;

	}



	return 0;

	if (status != 0x47)

		return -EINVAL;



	return WARM;

}



static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,

CRA Git | Maintained and supported by SUSTech CRA and CCSE