From: Mauro Carvalho Chehab <mchehab@redhat.com> Date: Tue, 2 Mar 2010 16:17:49 -0500 Subject: [dvb] fix endless loop when decoding ULE at dvb-core Message-id: <4B8D3A2D.8060509@redhat.com> Patchwork-id: 23469 O-Subject: [RHEL 5.6] Fix endless loop when decoding ULE at dvb-core Bugzilla: 569242 RH-Acked-by: Doug Ledford <dledford@redhat.com> RH-Acked-by: Jarod Wilson <jarod@redhat.com> RH-Acked-by: Jiri Pirko <jpirko@redhat.com> RH-Acked-by: Eugene Teo <eugene@redhat.com> BZ#569242 Upstream patch: 29e1fa3565a7951cc415c634eb2b78dbdbee151d ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation has a bug that causes endless loop when Payload Pointer of MPEG2-TS frame is 182 or 183. Anyone who sends malicious MPEG2-TS frame will cause the receiver of ULE SNDU to go into endless loop. Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/drivers/media/dvb/dvb-core/dvb_net.c b/drivers/media/dvb/dvb-core/dvb_net.c index 8859ab7..756302f 100644 --- a/drivers/media/dvb/dvb-core/dvb_net.c +++ b/drivers/media/dvb/dvb-core/dvb_net.c @@ -507,6 +507,7 @@ static void dvb_net_ule( struct net_device *dev, const u8 *buf, size_t buf_len ) "bytes left in TS. Resyncing.\n", ts_remain); priv->ule_sndu_len = 0; priv->need_pusi = 1; + ts += TS_SZ; continue; }