[linux-dvb] Possible buffer overflow in dst driver

Sigmund Augdal sigmund at snap.tv
Mon Sep 5 19:35:59 CEST 2005

Using current cvs dvb-kernel, I'm tring to sort out some issues with ca
on a twinhan card. I think I discovered what might be a serious problem:

in dvb_bt8xx.c:frontend_init in the BTTV_TWINHAN_DST case right before
the dst_ca_attached I added a case to se if

is set, which it is not. Then I added a printk in the handle_dst_tag
function in dst_ca.c in the block that is run

and this too is executed. greping around I could find no assignments to
dst_hw_cap, so I tried to see if any of the above members  in the struct
could overflow. The only members that are referenced with pointers that
I could find was rx_tuna,tx_tuna and rx_buf. I couldn't see any reason
for these to overflow, but just to test I tried increasing their size
from 10 to 1000. This kept the block in handle_dst_tag from being

If anyone could help sched some light on what might cause this, I would
be very happy.

With regard 

Sigmund Augdal

More information about the linux-dvb mailing list