[bug report] buffer overflow in redrat3_transmit_ir()

public inbox for linux-media@vger.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: jarod@redhat.com
Cc: linux-media@vger.kernel.org
Subject: [bug report] buffer overflow in redrat3_transmit_ir()
Date: Wed, 15 Aug 2012 17:41:15 +0300	[thread overview]
Message-ID: <20120815144115.GA25050@elgon.mountain> (raw)

Hello Jarod Wilson,

The patch 2154be651b90: "[media] redrat3: new rc-core IR transceiver 
device driver" from May 4, 2011, leads to the following warning:
drivers/media/rc/redrat3.c:948 redrat3_transmit_ir()
	 error: buffer overflow 'sample_lens' 128 <= 254

drivers/media/rc/redrat3.c
   929          sample_lens = kzalloc(sizeof(int) * RR3_DRIVER_MAXLENS, GFP_KERNEL);
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
sample_lens has space for 128 ints.

   930          if (!sample_lens) {
   931                  ret = -ENOMEM;
   932                  goto out;
   933          }
   934  
   935          for (i = 0; i < count; i++) {
   936                  for (lencheck = 0; lencheck < curlencheck; lencheck++) {
   937                          cur_sample_len = redrat3_us_to_len(txbuf[i]);
   938                          if (sample_lens[lencheck] == cur_sample_len)
   939                                  break;
   940                  }
   941                  if (lencheck == curlencheck) {
   942                          cur_sample_len = redrat3_us_to_len(txbuf[i]);
   943                          rr3_dbg(dev, "txbuf[%d]=%u, pos %d, enc %u\n",
   944                                  i, txbuf[i], curlencheck, cur_sample_len);
   945                          if (curlencheck < 255) {
                                    ^^^^^^^^^^^^^^^^^
curlencheck goes up  to 254.

   946                                  /* now convert the value to a proper
   947                                   * rr3 value.. */
   948                                  sample_lens[curlencheck] = cur_sample_len;
                                        ^^^^^^^^^^^^^^^^^^^^^^^^
overflow.

   949                                  curlencheck++;
   950                          } else {

regards,
dan carpenter

                 reply	other threads:[~2012-08-15 14:41 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120815144115.GA25050@elgon.mountain \
    --to=dan.carpenter@oracle.com \
    --cc=jarod@redhat.com \
    --cc=linux-media@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox