From: Gianluca Gennari <gennarone@gmail.com>
To: Antti Palosaari <crope@iki.fi>
Cc: linux-media@vger.kernel.org, mchehab@redhat.com, mkrufky@linuxtv.org
Subject: Re: [PATCH] rtl28xxu: fix buffer overflow when probing Rafael Micro r820t tuner
Date: Sun, 02 Jun 2013 21:51:22 +0200 [thread overview]
Message-ID: <51ABA23A.7070500@gmail.com> (raw)
In-Reply-To: <51AB9D3F.4030804@iki.fi>
Il 02/06/2013 21:30, Antti Palosaari ha scritto:
> On 06/02/2013 09:56 PM, Gianluca Gennari wrote:
>> req_r820t wants a buffer with a size of 5 bytes, but the buffer 'buf'
>> has a size of 2 bytes.
>>
>> This patch fixes the kernel oops with the r820t driver on old kernels
>> during the probe stage.
>> Successfully tested on a 2.6.32 32 bit kernel (Ubuntu 10.04).
>> Hopefully it will also help with the random stability issues reported
>> by some user on the linux-media list.
>>
>> This patch and https://patchwork.kernel.org/patch/2524651/
>> should go in the next 3.10-rc release, as they fix potential kernel
>> crashes.
>>
>> Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
>> ---
>> drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
>> b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
>> index 22015fe..48f2e6f 100644
>> --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
>> +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
>> @@ -360,7 +360,7 @@ static int rtl2832u_read_config(struct
>> dvb_usb_device *d)
>> {
>> struct rtl28xxu_priv *priv = d_to_priv(d);
>> int ret;
>> - u8 buf[2];
>> + u8 buf[5];
>> /* open RTL2832U/RTL2832 I2C gate */
>> struct rtl28xxu_req req_gate_open = {0x0120, 0x0011, 0x0001,
>> "\x18"};
>> /* close RTL2832U/RTL2832 I2C gate */
>>
>
> Gianluca, could you make that probe to check chip id as usually. Read
> register 0x00 and check value 0x69. Also, please test if writing to that
> address different value will not change register value to see it is
> really chip id.
>
> regards
> Antti
>
Hi Antti,
surely it makes sense. I will not have the time to check it until the
end of the coming week, so if someone else wants to do it in advance I
will not take offence ;-)
Regards,
Gianluca
next prev parent reply other threads:[~2013-06-02 19:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-02 18:56 [PATCH] rtl28xxu: fix buffer overflow when probing Rafael Micro r820t tuner Gianluca Gennari
2013-06-02 19:30 ` Antti Palosaari
2013-06-02 19:51 ` Gianluca Gennari [this message]
2013-06-02 20:04 ` Antti Palosaari
2013-06-02 21:22 ` Gianluca Gennari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51ABA23A.7070500@gmail.com \
--to=gennarone@gmail.com \
--cc=crope@iki.fi \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@redhat.com \
--cc=mkrufky@linuxtv.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.