* [patch] [media] DVB: dvb_frontend: off by one in dtv_property_dump()
@ 2011-05-26 8:44 Dan Carpenter
2011-05-26 11:16 ` Andreas Oberritter
0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2011-05-26 8:44 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Andreas Oberritter, Arnd Bergmann, Steven Toth, Lucas De Marchi,
linux-media, kernel-janitors
If the tvp->cmd = DTV_MAX_COMMAND then we read past the end of the
array.
Signed-off-by: Dan Carpenter <error27@gmail.com>
diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c
index 9827804..607e293 100644
--- a/drivers/media/dvb/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb/dvb-core/dvb_frontend.c
@@ -981,7 +981,7 @@ static void dtv_property_dump(struct dtv_property *tvp)
{
int i;
- if (tvp->cmd <= 0 || tvp->cmd > DTV_MAX_COMMAND) {
+ if (tvp->cmd <= 0 || tvp->cmd >= DTV_MAX_COMMAND) {
printk(KERN_WARNING "%s: tvp.cmd = 0x%08x undefined\n",
__func__, tvp->cmd);
return;
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch] [media] DVB: dvb_frontend: off by one in dtv_property_dump()
2011-05-26 8:44 [patch] [media] DVB: dvb_frontend: off by one in dtv_property_dump() Dan Carpenter
@ 2011-05-26 11:16 ` Andreas Oberritter
2011-06-04 13:36 ` Mauro Carvalho Chehab
0 siblings, 1 reply; 4+ messages in thread
From: Andreas Oberritter @ 2011-05-26 11:16 UTC (permalink / raw)
To: Dan Carpenter
Cc: Mauro Carvalho Chehab, Arnd Bergmann, Steven Toth,
Lucas De Marchi, linux-media, kernel-janitors
Hi Dan,
On 05/26/2011 10:44 AM, Dan Carpenter wrote:
> If the tvp->cmd = DTV_MAX_COMMAND then we read past the end of the
> array.
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
>
> diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c
> index 9827804..607e293 100644
> --- a/drivers/media/dvb/dvb-core/dvb_frontend.c
> +++ b/drivers/media/dvb/dvb-core/dvb_frontend.c
> @@ -981,7 +981,7 @@ static void dtv_property_dump(struct dtv_property *tvp)
> {
> int i;
>
> - if (tvp->cmd <= 0 || tvp->cmd > DTV_MAX_COMMAND) {
> + if (tvp->cmd <= 0 || tvp->cmd >= DTV_MAX_COMMAND) {
> printk(KERN_WARNING "%s: tvp.cmd = 0x%08x undefined\n",
> __func__, tvp->cmd);
> return;
thanks for spotting this, but this fixes the wrong end. This does not need to
be applied to kernels older than 2.6.40.
From 6d8588a4546fd4df717ca61450f99fb9c1b13a5f Mon Sep 17 00:00:00 2001
From: Andreas Oberritter <obi@linuxtv.org>
Date: Thu, 26 May 2011 10:54:14 +0000
Subject: [PATCH] DVB: dvb_frontend: fix dtv_property_dump for DTV_DVBT2_PLP_ID
- Add missing entry to array "dtv_cmds".
- Set array size to DTV_MAX_COMMAND + 1 to avoid future off-by-ones.
Signed-off-by: Andreas Oberritter <obi@linuxtv.org>
---
drivers/media/dvb/dvb-core/dvb_frontend.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c
index 9827804..bed7bfe 100644
--- a/drivers/media/dvb/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb/dvb-core/dvb_frontend.c
@@ -904,7 +904,7 @@ static int dvb_frontend_clear_cache(struct dvb_frontend *fe)
.buffer = b \
}
-static struct dtv_cmds_h dtv_cmds[] = {
+static struct dtv_cmds_h dtv_cmds[DTV_MAX_COMMAND + 1] = {
_DTV_CMD(DTV_TUNE, 1, 0),
_DTV_CMD(DTV_CLEAR, 1, 0),
@@ -966,6 +966,7 @@ static struct dtv_cmds_h dtv_cmds[] = {
_DTV_CMD(DTV_ISDBT_LAYERC_TIME_INTERLEAVING, 0, 0),
_DTV_CMD(DTV_ISDBS_TS_ID, 1, 0),
+ _DTV_CMD(DTV_DVBT2_PLP_ID, 1, 0),
/* Get */
_DTV_CMD(DTV_DISEQC_SLAVE_REPLY, 0, 1),
--
1.7.2.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch] [media] DVB: dvb_frontend: off by one in dtv_property_dump()
2011-05-26 11:16 ` Andreas Oberritter
@ 2011-06-04 13:36 ` Mauro Carvalho Chehab
2011-06-04 16:52 ` walter harms
0 siblings, 1 reply; 4+ messages in thread
From: Mauro Carvalho Chehab @ 2011-06-04 13:36 UTC (permalink / raw)
To: Andreas Oberritter
Cc: Dan Carpenter, Arnd Bergmann, Steven Toth, Lucas De Marchi,
linux-media, kernel-janitors
Em 26-05-2011 08:16, Andreas Oberritter escreveu:
> Hi Dan,
>
> On 05/26/2011 10:44 AM, Dan Carpenter wrote:
>> If the tvp->cmd = DTV_MAX_COMMAND then we read past the end of the
>> array.
>>
>> Signed-off-by: Dan Carpenter <error27@gmail.com>
>>
>> diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c
>> index 9827804..607e293 100644
>> --- a/drivers/media/dvb/dvb-core/dvb_frontend.c
>> +++ b/drivers/media/dvb/dvb-core/dvb_frontend.c
>> @@ -981,7 +981,7 @@ static void dtv_property_dump(struct dtv_property *tvp)
>> {
>> int i;
>>
>> - if (tvp->cmd <= 0 || tvp->cmd > DTV_MAX_COMMAND) {
>> + if (tvp->cmd <= 0 || tvp->cmd >= DTV_MAX_COMMAND) {
>> printk(KERN_WARNING "%s: tvp.cmd = 0x%08x undefined\n",
>> __func__, tvp->cmd);
>> return;
>
> thanks for spotting this, but this fixes the wrong end. This does not need to
> be applied to kernels older than 2.6.40.
>
> From 6d8588a4546fd4df717ca61450f99fb9c1b13a5f Mon Sep 17 00:00:00 2001
> From: Andreas Oberritter <obi@linuxtv.org>
> Date: Thu, 26 May 2011 10:54:14 +0000
> Subject: [PATCH] DVB: dvb_frontend: fix dtv_property_dump for DTV_DVBT2_PLP_ID
>
> - Add missing entry to array "dtv_cmds".
> - Set array size to DTV_MAX_COMMAND + 1 to avoid future off-by-ones.
Patchwork.kernel.org is not reliable at all. It missed this entire thread.
Andreas patch is the right thing to do.
Thank you both for reporting and fixing this issue. I'm applying the
patch right now.
>
> Signed-off-by: Andreas Oberritter <obi@linuxtv.org>
> ---
> drivers/media/dvb/dvb-core/dvb_frontend.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c
> index 9827804..bed7bfe 100644
> --- a/drivers/media/dvb/dvb-core/dvb_frontend.c
> +++ b/drivers/media/dvb/dvb-core/dvb_frontend.c
> @@ -904,7 +904,7 @@ static int dvb_frontend_clear_cache(struct dvb_frontend *fe)
> .buffer = b \
> }
>
> -static struct dtv_cmds_h dtv_cmds[] = {
> +static struct dtv_cmds_h dtv_cmds[DTV_MAX_COMMAND + 1] = {
> _DTV_CMD(DTV_TUNE, 1, 0),
> _DTV_CMD(DTV_CLEAR, 1, 0),
>
> @@ -966,6 +966,7 @@ static struct dtv_cmds_h dtv_cmds[] = {
> _DTV_CMD(DTV_ISDBT_LAYERC_TIME_INTERLEAVING, 0, 0),
>
> _DTV_CMD(DTV_ISDBS_TS_ID, 1, 0),
> + _DTV_CMD(DTV_DVBT2_PLP_ID, 1, 0),
>
> /* Get */
> _DTV_CMD(DTV_DISEQC_SLAVE_REPLY, 0, 1),
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch] [media] DVB: dvb_frontend: off by one in dtv_property_dump()
2011-06-04 13:36 ` Mauro Carvalho Chehab
@ 2011-06-04 16:52 ` walter harms
0 siblings, 0 replies; 4+ messages in thread
From: walter harms @ 2011-06-04 16:52 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Andreas Oberritter, Dan Carpenter, Arnd Bergmann, Steven Toth,
Lucas De Marchi, linux-media, kernel-janitors
Am 04.06.2011 15:36, schrieb Mauro Carvalho Chehab:
> Em 26-05-2011 08:16, Andreas Oberritter escreveu:
>> Hi Dan,
>>
>> On 05/26/2011 10:44 AM, Dan Carpenter wrote:
>>> If the tvp->cmd = DTV_MAX_COMMAND then we read past the end of the
>>> array.
>>>
>>> Signed-off-by: Dan Carpenter <error27@gmail.com>
>>>
>>> diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c
>>> index 9827804..607e293 100644
>>> --- a/drivers/media/dvb/dvb-core/dvb_frontend.c
>>> +++ b/drivers/media/dvb/dvb-core/dvb_frontend.c
>>> @@ -981,7 +981,7 @@ static void dtv_property_dump(struct dtv_property *tvp)
>>> {
>>> int i;
>>>
>>> - if (tvp->cmd <= 0 || tvp->cmd > DTV_MAX_COMMAND) {
>>> + if (tvp->cmd <= 0 || tvp->cmd >= DTV_MAX_COMMAND) {
>>> printk(KERN_WARNING "%s: tvp.cmd = 0x%08x undefined\n",
>>> __func__, tvp->cmd);
>>> return;
>>
>> thanks for spotting this, but this fixes the wrong end. This does not need to
>> be applied to kernels older than 2.6.40.
>>
>> From 6d8588a4546fd4df717ca61450f99fb9c1b13a5f Mon Sep 17 00:00:00 2001
>> From: Andreas Oberritter <obi@linuxtv.org>
>> Date: Thu, 26 May 2011 10:54:14 +0000
>> Subject: [PATCH] DVB: dvb_frontend: fix dtv_property_dump for DTV_DVBT2_PLP_ID
>>
>> - Add missing entry to array "dtv_cmds".
>> - Set array size to DTV_MAX_COMMAND + 1 to avoid future off-by-ones.
>
> Patchwork.kernel.org is not reliable at all. It missed this entire thread.
>
> Andreas patch is the right thing to do.
>
> Thank you both for reporting and fixing this issue. I'm applying the
> patch right now.
>
>>
>> Signed-off-by: Andreas Oberritter <obi@linuxtv.org>
>> ---
>> drivers/media/dvb/dvb-core/dvb_frontend.c | 3 ++-
>> 1 files changed, 2 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c
>> index 9827804..bed7bfe 100644
>> --- a/drivers/media/dvb/dvb-core/dvb_frontend.c
>> +++ b/drivers/media/dvb/dvb-core/dvb_frontend.c
>> @@ -904,7 +904,7 @@ static int dvb_frontend_clear_cache(struct dvb_frontend *fe)
>> .buffer = b \
>> }
>>
>> -static struct dtv_cmds_h dtv_cmds[] = {
>> +static struct dtv_cmds_h dtv_cmds[DTV_MAX_COMMAND + 1] = {
>> _DTV_CMD(DTV_TUNE, 1, 0),
>> _DTV_CMD(DTV_CLEAR, 1, 0),
>>
>> @@ -966,6 +966,7 @@ static struct dtv_cmds_h dtv_cmds[] = {
>> _DTV_CMD(DTV_ISDBT_LAYERC_TIME_INTERLEAVING, 0, 0),
>>
>> _DTV_CMD(DTV_ISDBS_TS_ID, 1, 0),
>> + _DTV_CMD(DTV_DVBT2_PLP_ID, 1, 0),
>>
>> /* Get */
>> _DTV_CMD(DTV_DISEQC_SLAVE_REPLY, 0, 1),
>
>
Do you really want a fixed size array ?
perhaps it is better to leave it struct dtv_cmds_h dtv_cmds[]
and use ARRAY_SIZE(dtv_cmds) instead of DTV_MAX_COMMAND ?
i do not see any use beyond dtv_property_dump().
re,
wh
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-06-04 16:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-05-26 8:44 [patch] [media] DVB: dvb_frontend: off by one in dtv_property_dump() Dan Carpenter
2011-05-26 11:16 ` Andreas Oberritter
2011-06-04 13:36 ` Mauro Carvalho Chehab
2011-06-04 16:52 ` walter harms
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).