* [bug report] buffer overflow in redrat3_transmit_ir()
@ 2012-08-15 14:41 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2012-08-15 14:41 UTC (permalink / raw)
To: jarod; +Cc: linux-media
Hello Jarod Wilson,
The patch 2154be651b90: "[media] redrat3: new rc-core IR transceiver
device driver" from May 4, 2011, leads to the following warning:
drivers/media/rc/redrat3.c:948 redrat3_transmit_ir()
error: buffer overflow 'sample_lens' 128 <= 254
drivers/media/rc/redrat3.c
929 sample_lens = kzalloc(sizeof(int) * RR3_DRIVER_MAXLENS, GFP_KERNEL);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
sample_lens has space for 128 ints.
930 if (!sample_lens) {
931 ret = -ENOMEM;
932 goto out;
933 }
934
935 for (i = 0; i < count; i++) {
936 for (lencheck = 0; lencheck < curlencheck; lencheck++) {
937 cur_sample_len = redrat3_us_to_len(txbuf[i]);
938 if (sample_lens[lencheck] == cur_sample_len)
939 break;
940 }
941 if (lencheck == curlencheck) {
942 cur_sample_len = redrat3_us_to_len(txbuf[i]);
943 rr3_dbg(dev, "txbuf[%d]=%u, pos %d, enc %u\n",
944 i, txbuf[i], curlencheck, cur_sample_len);
945 if (curlencheck < 255) {
^^^^^^^^^^^^^^^^^
curlencheck goes up to 254.
946 /* now convert the value to a proper
947 * rr3 value.. */
948 sample_lens[curlencheck] = cur_sample_len;
^^^^^^^^^^^^^^^^^^^^^^^^
overflow.
949 curlencheck++;
950 } else {
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2012-08-15 14:41 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-15 14:41 [bug report] buffer overflow in redrat3_transmit_ir() Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox