From patchwork Thu Aug 6 23:01:15 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Morton X-Patchwork-Id: 39710 X-Patchwork-Delegate: dougsland@redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n76N1OYb001365 for ; Thu, 6 Aug 2009 23:01:29 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752717AbZHFXBZ (ORCPT ); Thu, 6 Aug 2009 19:01:25 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756777AbZHFXBZ (ORCPT ); Thu, 6 Aug 2009 19:01:25 -0400 Received: from smtp1.linux-foundation.org ([140.211.169.13]:47278 "EHLO smtp1.linux-foundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752717AbZHFXBY (ORCPT ); Thu, 6 Aug 2009 19:01:24 -0400 Received: from imap1.linux-foundation.org (imap1.linux-foundation.org [140.211.169.55]) by smtp1.linux-foundation.org (8.14.2/8.13.5/Debian-3ubuntu1.1) with ESMTP id n76N1GLE016152 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Aug 2009 16:01:17 -0700 Received: from localhost.localdomain (localhost [127.0.0.1]) by imap1.linux-foundation.org (8.13.5.20060308/8.13.5/Debian-3ubuntu1.1) with ESMTP id n76N1FIw029970; Thu, 6 Aug 2009 16:01:15 -0700 Message-Id: <200908062301.n76N1FIw029970@imap1.linux-foundation.org> Subject: [patch 4/9] siano: read buffer overflow To: mchehab@infradead.org Cc: linux-media@vger.kernel.org, akpm@linux-foundation.org, roel.kluin@gmail.com From: akpm@linux-foundation.org Date: Thu, 06 Aug 2009 16:01:15 -0700 X-Spam-Status: No, hits=-3.511 required=5 tests=AWL, BAYES_00, OSDL_HEADER_SUBJECT_BRACKETED X-Spam-Checker-Version: SpamAssassin 3.2.4-osdl_revision__1.47__ X-MIMEDefang-Filter: lf$Revision: 1.188 $ X-Scanned-By: MIMEDefang 2.63 on 140.211.169.13 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org From: Roel Kluin With mode DEVICE_MODE_RAW_TUNER a read occurs past the end of smscore_fw_lkup[]. Subsequently an attempt is made to load the firmware from the resulting filename. Signed-off-by: Roel Kluin Cc: Mauro Carvalho Chehab Signed-off-by: Andrew Morton --- drivers/media/dvb/siano/smscoreapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN drivers/media/dvb/siano/smscoreapi.c~siano-read-buffer-overflow drivers/media/dvb/siano/smscoreapi.c --- a/drivers/media/dvb/siano/smscoreapi.c~siano-read-buffer-overflow +++ a/drivers/media/dvb/siano/smscoreapi.c @@ -816,7 +816,7 @@ int smscore_set_device_mode(struct smsco sms_debug("set device mode to %d", mode); if (coredev->device_flags & SMS_DEVICE_FAMILY2) { - if (mode < DEVICE_MODE_DVBT || mode > DEVICE_MODE_RAW_TUNER) { + if (mode < DEVICE_MODE_DVBT || mode >= DEVICE_MODE_RAW_TUNER) { sms_err("invalid mode specified %d", mode); return -EINVAL; }