From patchwork Sun Jun 2 18:56:04 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gianluca Gennari X-Patchwork-Id: 2649861 Return-Path: X-Original-To: patchwork-linux-media@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork1.kernel.org (Postfix) with ESMTP id CFE123FD4E for ; Sun, 2 Jun 2013 18:56:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754979Ab3FBS4u (ORCPT ); Sun, 2 Jun 2013 14:56:50 -0400 Received: from mail-we0-f170.google.com ([74.125.82.170]:63302 "EHLO mail-we0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754893Ab3FBS4t (ORCPT ); Sun, 2 Jun 2013 14:56:49 -0400 Received: by mail-we0-f170.google.com with SMTP id w57so1075712wes.15 for ; Sun, 02 Jun 2013 11:56:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer; bh=VZQX3jEyNcu0YLah1QE9T8b2BwDC9H3hVyzKfAKvI8M=; b=g35A+EmBeq6MzBRxveVJHXe9lS7tnRm6nx8SVEnRq+KPj+WxLLkjplXAO5KTBdHhRI 1Eoe9KPKd7kRzti7WMT8JYB6GCMFBLTWR5z+GA2xlYrHsw9knef2UcgrDMAJVk98uMbf gKXZjOUIWSpjneS0pZt1NtQTWeGiTROBGq5QJTudWZ5757OoCKKixCVGWJ3etWUcli6M +1bzU/1Y+uKRlDWp1cFWyqEbZNdKgB3BhiHUrRe5crlpBQBu0chH3dYW3le0mg+3vXFK SP/yKrxSV3XVZ48fvbUTW8V4Fyap1lNnrq8z00qJl/GsJz1bHedAGeAAY+zAmVljAG58 A4oQ== X-Received: by 10.180.205.177 with SMTP id lh17mr10101587wic.45.1370199408468; Sun, 02 Jun 2013 11:56:48 -0700 (PDT) Received: from localhost.localdomain (93-50-34-119.ip150.fastwebnet.it. [93.50.34.119]) by mx.google.com with ESMTPSA id k10sm18492061wia.4.2013.06.02.11.56.46 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 02 Jun 2013 11:56:47 -0700 (PDT) From: Gianluca Gennari To: linux-media@vger.kernel.org, mchehab@redhat.com, crope@iki.fi Cc: mkrufky@linuxtv.org, Gianluca Gennari Subject: [PATCH] rtl28xxu: fix buffer overflow when probing Rafael Micro r820t tuner Date: Sun, 2 Jun 2013 20:56:04 +0200 Message-Id: <1370199364-30060-1-git-send-email-gennarone@gmail.com> X-Mailer: git-send-email 1.8.3 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org req_r820t wants a buffer with a size of 5 bytes, but the buffer 'buf' has a size of 2 bytes. This patch fixes the kernel oops with the r820t driver on old kernels during the probe stage. Successfully tested on a 2.6.32 32 bit kernel (Ubuntu 10.04). Hopefully it will also help with the random stability issues reported by some user on the linux-media list. This patch and https://patchwork.kernel.org/patch/2524651/ should go in the next 3.10-rc release, as they fix potential kernel crashes. Signed-off-by: Gianluca Gennari --- drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c index 22015fe..48f2e6f 100644 --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c @@ -360,7 +360,7 @@ static int rtl2832u_read_config(struct dvb_usb_device *d) { struct rtl28xxu_priv *priv = d_to_priv(d); int ret; - u8 buf[2]; + u8 buf[5]; /* open RTL2832U/RTL2832 I2C gate */ struct rtl28xxu_req req_gate_open = {0x0120, 0x0011, 0x0001, "\x18"}; /* close RTL2832U/RTL2832 I2C gate */