Re: [patch] [media] DVB: dvb_frontend: off by one in dtv_property_dump()

public inbox for linux-media@vger.kernel.org
 help / color / mirror / Atom feed

From: walter harms <wharms@bfs.de>
To: Mauro Carvalho Chehab <mchehab@infradead.org>
Cc: Andreas Oberritter <obi@linuxtv.org>,
	Dan Carpenter <error27@gmail.com>, Arnd Bergmann <arnd@arndb.de>,
	Steven Toth <stoth@kernellabs.com>,
	Lucas De Marchi <lucas.demarchi@profusion.mobi>,
	linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] [media] DVB: dvb_frontend: off by one in dtv_property_dump()
Date: Sat, 04 Jun 2011 18:52:37 +0200	[thread overview]
Message-ID: <4DEA62D5.7030902@bfs.de> (raw)
In-Reply-To: <4DEA34F1.1020401@infradead.org>



Am 04.06.2011 15:36, schrieb Mauro Carvalho Chehab:
> Em 26-05-2011 08:16, Andreas Oberritter escreveu:
>> Hi Dan,
>>
>> On 05/26/2011 10:44 AM, Dan Carpenter wrote:
>>> If the tvp->cmd == DTV_MAX_COMMAND then we read past the end of the
>>> array.
>>>
>>> Signed-off-by: Dan Carpenter <error27@gmail.com>
>>>
>>> diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c
>>> index 9827804..607e293 100644
>>> --- a/drivers/media/dvb/dvb-core/dvb_frontend.c
>>> +++ b/drivers/media/dvb/dvb-core/dvb_frontend.c
>>> @@ -981,7 +981,7 @@ static void dtv_property_dump(struct dtv_property *tvp)
>>>  {
>>>  	int i;
>>>  
>>> -	if (tvp->cmd <= 0 || tvp->cmd > DTV_MAX_COMMAND) {
>>> +	if (tvp->cmd <= 0 || tvp->cmd >= DTV_MAX_COMMAND) {
>>>  		printk(KERN_WARNING "%s: tvp.cmd = 0x%08x undefined\n",
>>>  			__func__, tvp->cmd);
>>>  		return;
>>
>> thanks for spotting this, but this fixes the wrong end. This does not need to
>> be applied to kernels older than 2.6.40.
>>
>> From 6d8588a4546fd4df717ca61450f99fb9c1b13a5f Mon Sep 17 00:00:00 2001
>> From: Andreas Oberritter <obi@linuxtv.org>
>> Date: Thu, 26 May 2011 10:54:14 +0000
>> Subject: [PATCH] DVB: dvb_frontend: fix dtv_property_dump for DTV_DVBT2_PLP_ID
>>
>> - Add missing entry to array "dtv_cmds".
>> - Set array size to DTV_MAX_COMMAND + 1 to avoid future off-by-ones.
> 
> Patchwork.kernel.org is not reliable at all. It missed this entire thread.
> 
> Andreas patch is the right thing to do.
> 
> Thank you both for reporting and fixing this issue. I'm applying the
> patch right now.
> 
>>
>> Signed-off-by: Andreas Oberritter <obi@linuxtv.org>
>> ---
>>  drivers/media/dvb/dvb-core/dvb_frontend.c |    3 ++-
>>  1 files changed, 2 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c
>> index 9827804..bed7bfe 100644
>> --- a/drivers/media/dvb/dvb-core/dvb_frontend.c
>> +++ b/drivers/media/dvb/dvb-core/dvb_frontend.c
>> @@ -904,7 +904,7 @@ static int dvb_frontend_clear_cache(struct dvb_frontend *fe)
>>  	.buffer = b \
>>  }
>>  
>> -static struct dtv_cmds_h dtv_cmds[] = {
>> +static struct dtv_cmds_h dtv_cmds[DTV_MAX_COMMAND + 1] = {
>>  	_DTV_CMD(DTV_TUNE, 1, 0),
>>  	_DTV_CMD(DTV_CLEAR, 1, 0),
>>  
>> @@ -966,6 +966,7 @@ static struct dtv_cmds_h dtv_cmds[] = {
>>  	_DTV_CMD(DTV_ISDBT_LAYERC_TIME_INTERLEAVING, 0, 0),
>>  
>>  	_DTV_CMD(DTV_ISDBS_TS_ID, 1, 0),
>> +	_DTV_CMD(DTV_DVBT2_PLP_ID, 1, 0),
>>  
>>  	/* Get */
>>  	_DTV_CMD(DTV_DISEQC_SLAVE_REPLY, 0, 1),
> 
>
Do you really want a fixed size array ?
perhaps it is better to leave it struct dtv_cmds_h dtv_cmds[]
and use ARRAY_SIZE(dtv_cmds) instead of DTV_MAX_COMMAND ?

i do not see any use beyond dtv_property_dump().

re,
 wh

     prev parent reply	other threads:[~2011-06-04 17:25 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-05-26  8:44 [patch] [media] DVB: dvb_frontend: off by one in dtv_property_dump() Dan Carpenter
2011-05-26 11:16 ` Andreas Oberritter
2011-06-04 13:36   ` Mauro Carvalho Chehab
2011-06-04 16:52     ` walter harms [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4DEA62D5.7030902@bfs.de \
    --to=wharms@bfs.de \
    --cc=arnd@arndb.de \
    --cc=error27@gmail.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=lucas.demarchi@profusion.mobi \
    --cc=mchehab@infradead.org \
    --cc=obi@linuxtv.org \
    --cc=stoth@kernellabs.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox