[media] dvb-usb: check for invalid length in ttusb_process_muxpack()

This patch is driven by a static checker warning.
The ttusb_process_muxpack() function is only called from
ttusb_process_frame().  Before calling, it verifies that len >= 2.  The
problem is that len == 2 is not valid and would lead to an array
underflow.
Odd number values for len are also invalid and would lead to reading
past the end of the array.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

diff --git a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
index 5b682cc4c814e99501c45f82ea17171029301183..e407185528504b61704113ccb0b8f97be3c367a1 100644 (file)
--- a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
+++ b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
@@ -561,6 +561,13 @@ static void ttusb_process_muxpack(struct ttusb *ttusb, const u8 * muxpack,
 {
        u16 csum = 0, cc;
        int i;
+
+       if (len < 4 || len & 0x1) {
+               pr_warn("%s: muxpack has invalid len %d\n", __func__, len);
+               numinvalid++;
+               return;
+       }
+
        for (i = 0; i < len; i += 2)
                csum ^= le16_to_cpup((__le16 *) (muxpack + i));
        if (csum) {