Opened 17 years ago

Closed 17 years ago

#5859 closed defect (fixed)

Fix for high level CA_PMT handler code (SIGSEGV due to buffer overflow)

Reported by: manuel.kampert@… Owned by: danielk
Priority: minor Milestone: 0.22
Component: mythtv Version: head
Severity: medium Keywords:
Cc: Ticket locked: no

Description

cHlCiHandler::SetCaPmt does not test CaPmt.length > 256. This will cause a SIGSEGV due to memory overwrite at

memcpy(&msg.msg[4], CaPmt.capmt, CaPmt.length);

as struct ca_msg msg msg.msg is defined in the kernel as msg[256].

Attachments (1)

dvbci.patch (655 bytes ) - added by anonymous 17 years ago.

Download all attachments as: .zip

Change History (9)

by anonymous, 17 years ago

Attachment: dvbci.patch added

comment:1 by Dibblah, 17 years ago

Status: newinfoneeded_new

Can you adjust this patch so it uses appropriate VERBOSE macros, please?

comment:2 by stuartm, 17 years ago

Milestone: unknown0.22
Version: unknownhead

comment:3 by danielk, 17 years ago

Status: infoneeded_newnew

comment:4 by danielk, 17 years ago

Owner: changed from Isaac Richards to danielk
Status: newassigned

comment:5 by danielk, 17 years ago

Resolution: fixed
Status: assignedclosed

(In [20618]) Fixes #5859. Fixes segfault on buffer overflow in CA_PMT handler. (In [20619]) Refs #5859. Use the vdr printf's wrappers more consistently (we retarget these to VERBOSE so that the debugging output is more sane in mythtv.)

comment:6 by dekarl@…, 17 years ago

this fix still leaves a 4 byte window open for buffer overruns (&msg.msg[4]...) better make it:

if (CaPmt.length > ( sizeof(msg.msg) - 4 ))

instead of:

if (CaPmt.length > 256)

comment:7 by danielk, 17 years ago

Resolution: fixed
Status: closednew

comment:8 by danielk, 17 years ago

Resolution: fixed
Status: newclosed

(In [20657]) Fixes #5859. Really fix buffer overflow bug in DVB CI handler code...

Note: See TracTickets for help on using tickets.