Opened 11 years ago

Closed 10 years ago

#5859 closed defect (fixed)

Fix for high level CA_PMT handler code (SIGSEGV due to buffer overflow)

Reported by: manuel.kampert@… Owned by: danielk
Priority: minor Milestone: 0.22
Component: mythtv Version: head
Severity: medium Keywords:
Cc: Ticket locked: no

Description

cHlCiHandler::SetCaPmt? does not test CaPmt?.length > 256. This will cause a SIGSEGV due to memory overwrite at

memcpy(&msg.msg[4], CaPmt?.capmt, CaPmt?.length);

as struct ca_msg msg msg.msg is defined in the kernel as msg[256].

Attachments (1)

dvbci.patch (655 bytes) - added by anonymous 11 years ago.

Download all attachments as: .zip

Change History (9)

Changed 11 years ago by anonymous

Attachment: dvbci.patch added

comment:1 Changed 11 years ago by Dibblah

Status: newinfoneeded_new

Can you adjust this patch so it uses appropriate VERBOSE macros, please?

comment:2 Changed 11 years ago by stuartm

Milestone: unknown0.22
Version: unknownhead

comment:3 Changed 11 years ago by danielk

Status: infoneeded_newnew

comment:4 Changed 11 years ago by danielk

Owner: changed from Isaac Richards to danielk
Status: newassigned

comment:5 Changed 10 years ago by danielk

Resolution: fixed
Status: assignedclosed

(In [20618]) Fixes #5859. Fixes segfault on buffer overflow in CA_PMT handler. (In [20619]) Refs #5859. Use the vdr printf's wrappers more consistently (we retarget these to VERBOSE so that the debugging output is more sane in mythtv.)

comment:6 Changed 10 years ago by dekarl@…

this fix still leaves a 4 byte window open for buffer overruns (&msg.msg[4]...) better make it:

if (CaPmt?.length > ( sizeof(msg.msg) - 4 ))

instead of:

if (CaPmt?.length > 256)

comment:7 Changed 10 years ago by danielk

Resolution: fixed
Status: closednew

comment:8 Changed 10 years ago by danielk

Resolution: fixed
Status: newclosed

(In [20657]) Fixes #5859. Really fix buffer overflow bug in DVB CI handler code...

Note: See TracTickets for help on using tickets.