From ad5c5859f0cf86c82483527d09f8063cd3a4a562 Mon Sep 17 00:00:00 2001
From: Jaroslav Kysela <perex@perex.cz>
Date: Thu, 19 Jun 2014 16:25:01 +0200
Subject: [PATCH] cwc: fix some NULL dereferences

---
 src/descrambler/cwc.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/descrambler/cwc.c b/src/descrambler/cwc.c
index 264e5998..0a49f741 100755
--- a/src/descrambler/cwc.c
+++ b/src/descrambler/cwc.c
@@ -664,12 +664,21 @@ cwc_decode_card_data_reply(cwc_t *cwc, uint8_t *msg, int len)
 /**
  * Login command
  */
-static void
+static int
 cwc_send_login(cwc_t *cwc)
 {
   uint8_t buf[CWS_NETMSGSIZE];
-  int ul = strlen(cwc->cwc_username) + 1;
-  int pl = strlen(cwc->cwc_password_salted) + 1;
+  size_t ul, pl;
+
+  if (cwc->cwc_username == NULL ||
+      cwc->cwc_password_salted == NULL)
+    return 1;
+
+  ul = strlen(cwc->cwc_username) + 1;
+  pl = strlen(cwc->cwc_password_salted) + 1;
+
+  if (ul + pl > 255)
+    return 1;
 
   buf[0] = MSG_CLIENT_2_SERVER_LOGIN;
   buf[1] = 0;
@@ -678,6 +687,8 @@ cwc_send_login(cwc_t *cwc)
   memcpy(buf + 3 + ul, cwc->cwc_password_salted, pl);
  
   cwc_send_msg(cwc, buf, ul + pl + 3, TVHEADEND_PROTOCOL_ID, 0, 0, 0);
+
+  return 0;
 }
 
 
@@ -1031,7 +1042,8 @@ cwc_session(cwc_t *cwc)
   /**
    * Login
    */
-  cwc_send_login(cwc);
+  if (cwc_send_login(cwc))
+    return;
   
   if(cwc_read_message(cwc, "Wait login response", 5000) < 0)
     return;
@@ -1121,6 +1133,7 @@ cwc_thread(void *aux)
     while(cwc->cwc_running && cwc->cwc_enabled == 0)
       pthread_cond_wait(&cwc->cwc_cond, &cwc_mutex);
     if (cwc->cwc_running == 0) continue;
+    if (cwc->cwc_hostname == NULL) continue;
 
     snprintf(hostname, sizeof(hostname), "%s", cwc->cwc_hostname);
     port = cwc->cwc_port;