From: Andreas Oberritter <obi@linuxtv.org>
To: Dan Carpenter <error27@gmail.com>
Cc: Mauro Carvalho Chehab <mchehab@infradead.org>,
Arnd Bergmann <arnd@arndb.de>, Steven Toth <stoth@kernellabs.com>,
Lucas De Marchi <lucas.demarchi@profusion.mobi>,
linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] [media] DVB: dvb_frontend: off by one in dtv_property_dump()
Date: Thu, 26 May 2011 13:16:59 +0200 [thread overview]
Message-ID: <4DDE36AB.2070202@linuxtv.org> (raw)
In-Reply-To: <20110526084452.GB14591@shale.localdomain>
Hi Dan,
On 05/26/2011 10:44 AM, Dan Carpenter wrote:
> If the tvp->cmd == DTV_MAX_COMMAND then we read past the end of the
> array.
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
>
> diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c
> index 9827804..607e293 100644
> --- a/drivers/media/dvb/dvb-core/dvb_frontend.c
> +++ b/drivers/media/dvb/dvb-core/dvb_frontend.c
> @@ -981,7 +981,7 @@ static void dtv_property_dump(struct dtv_property *tvp)
> {
> int i;
>
> - if (tvp->cmd <= 0 || tvp->cmd > DTV_MAX_COMMAND) {
> + if (tvp->cmd <= 0 || tvp->cmd >= DTV_MAX_COMMAND) {
> printk(KERN_WARNING "%s: tvp.cmd = 0x%08x undefined\n",
> __func__, tvp->cmd);
> return;
thanks for spotting this, but this fixes the wrong end. This does not need to
be applied to kernels older than 2.6.40.
>From 6d8588a4546fd4df717ca61450f99fb9c1b13a5f Mon Sep 17 00:00:00 2001
From: Andreas Oberritter <obi@linuxtv.org>
Date: Thu, 26 May 2011 10:54:14 +0000
Subject: [PATCH] DVB: dvb_frontend: fix dtv_property_dump for DTV_DVBT2_PLP_ID
- Add missing entry to array "dtv_cmds".
- Set array size to DTV_MAX_COMMAND + 1 to avoid future off-by-ones.
Signed-off-by: Andreas Oberritter <obi@linuxtv.org>
---
drivers/media/dvb/dvb-core/dvb_frontend.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c
index 9827804..bed7bfe 100644
--- a/drivers/media/dvb/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb/dvb-core/dvb_frontend.c
@@ -904,7 +904,7 @@ static int dvb_frontend_clear_cache(struct dvb_frontend *fe)
.buffer = b \
}
-static struct dtv_cmds_h dtv_cmds[] = {
+static struct dtv_cmds_h dtv_cmds[DTV_MAX_COMMAND + 1] = {
_DTV_CMD(DTV_TUNE, 1, 0),
_DTV_CMD(DTV_CLEAR, 1, 0),
@@ -966,6 +966,7 @@ static struct dtv_cmds_h dtv_cmds[] = {
_DTV_CMD(DTV_ISDBT_LAYERC_TIME_INTERLEAVING, 0, 0),
_DTV_CMD(DTV_ISDBS_TS_ID, 1, 0),
+ _DTV_CMD(DTV_DVBT2_PLP_ID, 1, 0),
/* Get */
_DTV_CMD(DTV_DISEQC_SLAVE_REPLY, 0, 1),
--
1.7.2.5
next prev parent reply other threads:[~2011-05-26 11:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-26 8:44 [patch] [media] DVB: dvb_frontend: off by one in dtv_property_dump() Dan Carpenter
2011-05-26 11:16 ` Andreas Oberritter [this message]
2011-06-04 13:36 ` Mauro Carvalho Chehab
2011-06-04 16:52 ` walter harms
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DDE36AB.2070202@linuxtv.org \
--to=obi@linuxtv.org \
--cc=arnd@arndb.de \
--cc=error27@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=lucas.demarchi@profusion.mobi \
--cc=mchehab@infradead.org \
--cc=stoth@kernellabs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox