From patchwork Fri Jul 22 08:36:29 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans Verkuil X-Patchwork-Id: 9243171 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 407D9602F0 for ; Fri, 22 Jul 2016 08:36:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 307A7200E7 for ; Fri, 22 Jul 2016 08:36:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2581527F95; Fri, 22 Jul 2016 08:36:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B735D200E7 for ; Fri, 22 Jul 2016 08:36:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751824AbcGVIgi (ORCPT ); Fri, 22 Jul 2016 04:36:38 -0400 Received: from lb2-smtp-cloud6.xs4all.net ([194.109.24.28]:43717 "EHLO lb2-smtp-cloud6.xs4all.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751455AbcGVIgg (ORCPT ); Fri, 22 Jul 2016 04:36:36 -0400 Received: from tschai.lan ([90.149.38.145]) by smtp-cloud6.xs4all.net with ESMTP id MkcW1t00B37uBN201kca1r; Fri, 22 Jul 2016 10:36:34 +0200 Received: from [192.168.1.137] (marune.xs4all.nl [80.101.105.217]) by tschai.lan (Postfix) with ESMTPSA id 82E2F180241 for ; Fri, 22 Jul 2016 10:36:30 +0200 (CEST) To: "linux-media@vger.kernel.org" From: Hans Verkuil Subject: [PATCH for v4.8] cec: fix off-by-one memset Message-ID: <25978667-969b-be9e-2600-8a8b50554856@xs4all.nl> Date: Fri, 22 Jul 2016 10:36:29 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.2.0 MIME-Version: 1.0 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The unused bytes of the features array should be zeroed, but the start index was one byte too early. This caused the device features byte to be overwritten by 0. The compliance test for the CEC_S_LOG_ADDRS ioctl didn't catch this because it tested byte continuation with the second device features byte being 0 :-( Signed-off-by: Hans Verkuil --- -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/staging/media/cec/cec-adap.c b/drivers/staging/media/cec/cec-adap.c index 9fffddb..b2393bb 100644 --- a/drivers/staging/media/cec/cec-adap.c +++ b/drivers/staging/media/cec/cec-adap.c @@ -1252,7 +1252,7 @@ int __cec_s_log_addrs(struct cec_adapter *adap, return -EINVAL; } /* Zero unused part of the feature array */ - memset(features + i, 0, feature_sz - i); + memset(features + i + 1, 0, feature_sz - i - 1); } if (log_addrs->cec_version >= CEC_OP_CEC_VERSION_2_0) {