From: Antti Palosaari <crope@iki.fi>
To: gennarone@gmail.com
Cc: linux-media@vger.kernel.org, mchehab@redhat.com, mkrufky@linuxtv.org
Subject: Re: [PATCH] rtl28xxu: fix buffer overflow when probing Rafael Micro r820t tuner
Date: Sun, 02 Jun 2013 23:04:37 +0300 [thread overview]
Message-ID: <51ABA555.8050808@iki.fi> (raw)
In-Reply-To: <51ABA23A.7070500@gmail.com>
On 06/02/2013 10:51 PM, Gianluca Gennari wrote:
> Il 02/06/2013 21:30, Antti Palosaari ha scritto:
>> On 06/02/2013 09:56 PM, Gianluca Gennari wrote:
>>> req_r820t wants a buffer with a size of 5 bytes, but the buffer 'buf'
>>> has a size of 2 bytes.
>>>
>>> This patch fixes the kernel oops with the r820t driver on old kernels
>>> during the probe stage.
>>> Successfully tested on a 2.6.32 32 bit kernel (Ubuntu 10.04).
>>> Hopefully it will also help with the random stability issues reported
>>> by some user on the linux-media list.
>>>
>>> This patch and https://patchwork.kernel.org/patch/2524651/
>>> should go in the next 3.10-rc release, as they fix potential kernel
>>> crashes.
>>>
>>> Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
>>> ---
>>> drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
>>> b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
>>> index 22015fe..48f2e6f 100644
>>> --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
>>> +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
>>> @@ -360,7 +360,7 @@ static int rtl2832u_read_config(struct
>>> dvb_usb_device *d)
>>> {
>>> struct rtl28xxu_priv *priv = d_to_priv(d);
>>> int ret;
>>> - u8 buf[2];
>>> + u8 buf[5];
>>> /* open RTL2832U/RTL2832 I2C gate */
>>> struct rtl28xxu_req req_gate_open = {0x0120, 0x0011, 0x0001,
>>> "\x18"};
>>> /* close RTL2832U/RTL2832 I2C gate */
>>>
>>
>> Gianluca, could you make that probe to check chip id as usually. Read
>> register 0x00 and check value 0x69. Also, please test if writing to that
>> address different value will not change register value to see it is
>> really chip id.
>>
>> regards
>> Antti
>>
>
> Hi Antti,
> surely it makes sense. I will not have the time to check it until the
> end of the coming week, so if someone else wants to do it in advance I
> will not take offence ;-)
>
> Regards,
> Gianluca
>
Yeah. I would not like to extend that buf to 5 as it is not "proper"
solution. Current check is more like just a check that there is some
chip on that I2C address. Reading one byte makes as much sense as
reading 5 bytes. Maybe Mauro has added that probe "lets implement it
later" and then forget...
Northern part of Finland has has very warm weather now in two weeks and
I haven't found any time to code now :D Crazy, 25-30 C degrees every
day, hottest place in whole Europe :] I really hope it will go back to
normal rainy and cold weather soon that I can jump back to coding...
regards
Antti
--
http://palosaari.fi/
next prev parent reply other threads:[~2013-06-02 20:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-02 18:56 [PATCH] rtl28xxu: fix buffer overflow when probing Rafael Micro r820t tuner Gianluca Gennari
2013-06-02 19:30 ` Antti Palosaari
2013-06-02 19:51 ` Gianluca Gennari
2013-06-02 20:04 ` Antti Palosaari [this message]
2013-06-02 21:22 ` Gianluca Gennari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51ABA555.8050808@iki.fi \
--to=crope@iki.fi \
--cc=gennarone@gmail.com \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@redhat.com \
--cc=mkrufky@linuxtv.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox