From: Gianluca Gennari <gennarone@gmail.com>
To: Antti Palosaari <crope@iki.fi>
Cc: linux-media@vger.kernel.org, mchehab@redhat.com, mkrufky@linuxtv.org
Subject: Re: [PATCH] rtl28xxu: fix buffer overflow when probing Rafael Micro r820t tuner
Date: Sun, 02 Jun 2013 21:51:22 +0200 [thread overview]
Message-ID: <51ABA23A.7070500@gmail.com> (raw)
In-Reply-To: <51AB9D3F.4030804@iki.fi>
Il 02/06/2013 21:30, Antti Palosaari ha scritto:
> On 06/02/2013 09:56 PM, Gianluca Gennari wrote:
>> req_r820t wants a buffer with a size of 5 bytes, but the buffer 'buf'
>> has a size of 2 bytes.
>>
>> This patch fixes the kernel oops with the r820t driver on old kernels
>> during the probe stage.
>> Successfully tested on a 2.6.32 32 bit kernel (Ubuntu 10.04).
>> Hopefully it will also help with the random stability issues reported
>> by some user on the linux-media list.
>>
>> This patch and https://patchwork.kernel.org/patch/2524651/
>> should go in the next 3.10-rc release, as they fix potential kernel
>> crashes.
>>
>> Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
>> ---
>> drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
>> b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
>> index 22015fe..48f2e6f 100644
>> --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
>> +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
>> @@ -360,7 +360,7 @@ static int rtl2832u_read_config(struct
>> dvb_usb_device *d)
>> {
>> struct rtl28xxu_priv *priv = d_to_priv(d);
>> int ret;
>> - u8 buf[2];
>> + u8 buf[5];
>> /* open RTL2832U/RTL2832 I2C gate */
>> struct rtl28xxu_req req_gate_open = {0x0120, 0x0011, 0x0001,
>> "\x18"};
>> /* close RTL2832U/RTL2832 I2C gate */
>>
>
> Gianluca, could you make that probe to check chip id as usually. Read
> register 0x00 and check value 0x69. Also, please test if writing to that
> address different value will not change register value to see it is
> really chip id.
>
> regards
> Antti
>
Hi Antti,
surely it makes sense. I will not have the time to check it until the
end of the coming week, so if someone else wants to do it in advance I
will not take offence ;-)
Regards,
Gianluca
next prev parent reply other threads:[~2013-06-02 19:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-02 18:56 [PATCH] rtl28xxu: fix buffer overflow when probing Rafael Micro r820t tuner Gianluca Gennari
2013-06-02 19:30 ` Antti Palosaari
2013-06-02 19:51 ` Gianluca Gennari [this message]
2013-06-02 20:04 ` Antti Palosaari
2013-06-02 21:22 ` Gianluca Gennari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51ABA23A.7070500@gmail.com \
--to=gennarone@gmail.com \
--cc=crope@iki.fi \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@redhat.com \
--cc=mkrufky@linuxtv.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox