Currently, the function ce6230_ctrl_msg, doesnt't check the size of the
control message that is supposed to be read/written, which causes the
error Syzbot reported at the usb core function usb_submit_urb after calling
usb_control_msg in the driver code. This patch fixes the issue by returning
an error code if the req->data_len == 0 inside ce6230_ctrl_msg.

Fixes: eebb876b0b8f ("V4L/DVB (11216): Add driver for Intel CE6230 DVB-T USB2.0")
Reported-by: syzbot+427909a2e3b2f83d78cb@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=427909a2e3b2f83d78cb
Tested-by: syzbot+427909a2e3b2f83d78cb@syzkaller.appspotmail.com
Signed-off-by: Jakov Novak <jakovnovak30@gmail.com>
---
 drivers/media/usb/dvb-usb-v2/ce6230.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/media/usb/dvb-usb-v2/ce6230.c b/drivers/media/usb/dvb-usb-v2/ce6230.c
index 7ebaf3ee4491..3152a34777f9 100644
--- a/drivers/media/usb/dvb-usb-v2/ce6230.c
+++ b/drivers/media/usb/dvb-usb-v2/ce6230.c
@@ -23,6 +23,13 @@ static int ce6230_ctrl_msg(struct dvb_usb_device *d, struct usb_req *req)
 	value = req->value;
 	index = req->index;
 
+	if (!req->data_len) {
+		dev_err(&d->udev->dev,
+			"%s: cannot send crtl_msg of size 0",
+			KBUILD_MODNAME);
+		return -ENOBUFS;
+	}
+
 	switch (req->cmd) {
 	case I2C_READ:
 	case DEMOD_READ:
-- 
2.54.0