Commit a10feaf8 authored by Tomas Bortoli's avatar Tomas Bortoli Committed by Mauro Carvalho Chehab
Browse files

media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() 



The function at issue does not always initialize each byte allocated
for 'b' and can therefore leak uninitialized memory to a USB device in
the call to usb_bulk_msg()

Use kzalloc() instead of kmalloc()

Signed-off-by: default avatarTomas Bortoli <tomasbortoli@gmail.com>
Reported-by: default avatar <syzbot+0522702e9d67142379f1@syzkaller.appspotmail.com>
Signed-off-by: default avatarSean Young <sean@mess.org>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
parent 6f005abb

drivers/media/usb/ttusb-dec/ttusb_dec.c

+1 −1
Original line number Diff line number Diff line
@@ -319,7 +319,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command, 


	dprintk("%s\n", __func__);



	b = kmalloc(COMMAND_PACKET_SIZE + 4, GFP_KERNEL);

	b = kzalloc(COMMAND_PACKET_SIZE + 4, GFP_KERNEL);

	if (!b)

		return -ENOMEM;

CRA Git | Maintained and supported by SUSTech CRA and CCSE