[linux-dvb] vdr / OSDSetPalette oops with 2.6.x

[Pekka Pietikainen <pp@ee.oulu.fi>]

I've poked around the bug mentioned in
http://www.linuxtv.org:81/mailinglists/linux-dvb/2004/05-2004/msg00445.html
I can easily see why it does that...

static int dvb_osd_ioctl(struct inode *inode, struct file *file,
                         unsigned int cmd, void *parg)
{
        struct dvb_device *dvbdev = (struct dvb_device *) file->private_data;
        struct av7110 *av7110 = (struct av7110 *) dvbdev->priv;
 
        DEB_EE(("av7110: %p\n", av7110));
 
        if (cmd == OSD_SEND_CMD)
                return av7110_osd_cmd(av7110, (osd_cmd_t *) parg);
 
        return -EINVAL;
}

which is obviously missing a copy_from_user(&karg,parg,sizeof(osd_cmd_t))
and if data != NULL like it is in OSD_SetPalette or OSD_SetBlock 
copy_from_user() that as well. 

I think this requires API changes to really work, currently osd_cmd_t is

typedef struct osd_cmd_s {
        OSD_Command cmd;
        int x0;
        int y0;
        int x1;
        int y1;
        int color;
        void *data;
} osd_cmd_t;

so there's no way for the kernel to know how long data is so it can copy 
it. It definately can't use the pointer provided by userspace directly even
though that might have worked previously.