[linux-dvb] Possible buffer overflow in dst driver

Sigmund Augdal sigmund at snap.tv
Mon Sep 5 19:35:59 CEST 2005


Using current cvs dvb-kernel, I'm tring to sort out some issues with ca
on a twinhan card. I think I discovered what might be a serious problem:

in dvb_bt8xx.c:frontend_init in the BTTV_TWINHAN_DST case right before
the dst_ca_attached I added a case to se if
state->dst_hw_cap&DST_TYPE_HAS_SESSION

is set, which it is not. Then I added a printk in the handle_dst_tag
function in dst_ca.c in the block that is run
if(state->dst_hw_cap&DST_TYPE_HAS_SESSION)

and this too is executed. greping around I could find no assignments to
dst_hw_cap, so I tried to see if any of the above members  in the struct
could overflow. The only members that are referenced with pointers that
I could find was rx_tuna,tx_tuna and rx_buf. I couldn't see any reason
for these to overflow, but just to test I tried increasing their size
from 10 to 1000. This kept the block in handle_dst_tag from being
executed.

If anyone could help sched some light on what might cause this, I would
be very happy.

With regard 

Sigmund Augdal





More information about the linux-dvb mailing list