From patchwork Thu Jul 23 18:16:57 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roel Kluin X-Patchwork-Id: 36992 X-Patchwork-Delegate: dougsland@redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n6NIEbP7008673 for ; Thu, 23 Jul 2009 18:14:37 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752056AbZGWSOf (ORCPT ); Thu, 23 Jul 2009 14:14:35 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752069AbZGWSOf (ORCPT ); Thu, 23 Jul 2009 14:14:35 -0400 Received: from mail-ew0-f226.google.com ([209.85.219.226]:34964 "EHLO mail-ew0-f226.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752056AbZGWSOe (ORCPT ); Thu, 23 Jul 2009 14:14:34 -0400 Received: by ewy26 with SMTP id 26so1207013ewy.37 for ; Thu, 23 Jul 2009 11:14:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=E7SKI6IUjEYLCypg6mLFA4/xTdaCse9koGJxB8zKy4E=; b=Z+krDAtxAPiIQ+WHiHRfvA84vs1MPx9E6dmeyQUIcHeiHajDEJgHmVcvkCPCrrrWX4 Ryby7vn+u8BnL8Ipxevv/zwwJNurNEhID7CJJlQdhUxdVJLEiji5i7hByABUqvUz8vXt DjtdVl73hEZThZggkcxeOGjipRIVbJKcBP/KE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=kdzaL1EIGyjj01s28PSA+pGXOzcw5l1UngVQJqtxIWdkqxwng/EIJtpFXBVN27Yd13 gbAfFB4n8/g/LiLGNMoNSRCO2IvMZfen11Ex4hy1HrOqiwnw7/kl7s3jdofbClY+8E+A MNAixYHfgNj+fQdH2XsS/rWH7hsxlHzRhMK7k= Received: by 10.211.178.8 with SMTP id f8mr7193608ebp.91.1248372873559; Thu, 23 Jul 2009 11:14:33 -0700 (PDT) Received: from zoinx.mars (d133062.upc-d.chello.nl [213.46.133.62]) by mx.google.com with ESMTPS id 5sm4630532eyf.8.2009.07.23.11.14.32 (version=SSLv3 cipher=RC4-MD5); Thu, 23 Jul 2009 11:14:33 -0700 (PDT) Message-ID: <4A68A919.8070404@gmail.com> Date: Thu, 23 Jul 2009 20:16:57 +0200 From: Roel Kluin User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2 MIME-Version: 1.0 To: mchehab@infradead.org, uris@siano-ms.com, linux-media@vger.kernel.org, Andrew Morton Subject: [PATCH] Siano: Read buffer overflow Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org With mode DEVICE_MODE_RAW_TUNER a read occurs past the end of smscore_fw_lkup[]. Subsequently an attempt is made to load the firmware from the resulting filename. Signed-off-by: Roel Kluin --- This can be reached only when coredev->device_flags contains SMS_DEVICE_FAMILY2, codedev->modes_supported does not include the DEVICE_MODE_RAW_TUNER bit flag, and the initial attempt to load firmware. Can this happen in practice on the hardware in question? -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/media/dvb/siano/smscoreapi.c b/drivers/media/dvb/siano/smscoreapi.c index a246903..bd9ab9d 100644 --- a/drivers/media/dvb/siano/smscoreapi.c +++ b/drivers/media/dvb/siano/smscoreapi.c @@ -816,7 +816,7 @@ int smscore_set_device_mode(struct smscore_device_t *coredev, int mode) sms_debug("set device mode to %d", mode); if (coredev->device_flags & SMS_DEVICE_FAMILY2) { - if (mode < DEVICE_MODE_DVBT || mode > DEVICE_MODE_RAW_TUNER) { + if (mode < DEVICE_MODE_DVBT || mode >= DEVICE_MODE_RAW_TUNER) { sms_err("invalid mode specified %d", mode); return -EINVAL; }