* Re: [PATCH] [media] cx18: introduce a helper function to avoid array overrun
[not found] <1389020826-807-1-git-send-email-ethan.kernel@gmail.com>
@ 2014-01-10 13:06 ` Hans Verkuil
2014-01-11 14:08 ` Andy Walls
0 siblings, 1 reply; 2+ messages in thread
From: Hans Verkuil @ 2014-01-10 13:06 UTC (permalink / raw)
To: Ethan Zhao; +Cc: hans.verkuil, m.chehab, gregkh, linux-media, Andy Walls
Also CC to linux-media and Andy Walls who maintains this driver.
Regards,
Hans
On 01/06/14 16:07, Ethan Zhao wrote:
> cx18_i2c_register() is called in cx18_init_subdevs() with index
> greater than length of hw_bus array, that will cause array overrun,
> introduce a helper cx18_get_max_bus_num() to avoid it.
>
> V2: fix a typo and use ARRAY_SIZE macro
>
> Signed-off-by: Ethan Zhao <ethan.kernel@gmail.com>
> ---
> drivers/media/pci/cx18/cx18-driver.c | 2 +-
> drivers/media/pci/cx18/cx18-i2c.c | 5 +++++
> drivers/media/pci/cx18/cx18-i2c.h | 1 +
> 3 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/pci/cx18/cx18-driver.c b/drivers/media/pci/cx18/cx18-driver.c
> index 6386ced..dadcd4a 100644
> --- a/drivers/media/pci/cx18/cx18-driver.c
> +++ b/drivers/media/pci/cx18/cx18-driver.c
> @@ -856,7 +856,7 @@ static void cx18_init_subdevs(struct cx18 *cx)
> u32 device;
> int i;
>
> - for (i = 0, device = 1; i < 32; i++, device <<= 1) {
> + for (i = 0, device = 1; i < cx18_get_max_bus_num(); i++, device <<= 1) {
>
> if (!(device & hw))
> continue;
> diff --git a/drivers/media/pci/cx18/cx18-i2c.c b/drivers/media/pci/cx18/cx18-i2c.c
> index 4af8cd6..1a7b49b 100644
> --- a/drivers/media/pci/cx18/cx18-i2c.c
> +++ b/drivers/media/pci/cx18/cx18-i2c.c
> @@ -108,6 +108,11 @@ static int cx18_i2c_new_ir(struct cx18 *cx, struct i2c_adapter *adap, u32 hw,
> -1 : 0;
> }
>
> +int cx18_get_max_bus_num(void)
> +{
> + return ARRAY_SIZE(hw_bus);
> +}
> +
> int cx18_i2c_register(struct cx18 *cx, unsigned idx)
> {
> struct v4l2_subdev *sd;
> diff --git a/drivers/media/pci/cx18/cx18-i2c.h b/drivers/media/pci/cx18/cx18-i2c.h
> index 1180fdc..6f2ceb5 100644
> --- a/drivers/media/pci/cx18/cx18-i2c.h
> +++ b/drivers/media/pci/cx18/cx18-i2c.h
> @@ -21,6 +21,7 @@
> * 02111-1307 USA
> */
>
> +int cx18_get_max_bus_num(void);
> int cx18_i2c_register(struct cx18 *cx, unsigned idx);
> struct v4l2_subdev *cx18_find_hw(struct cx18 *cx, u32 hw);
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] [media] cx18: introduce a helper function to avoid array overrun
2014-01-10 13:06 ` [PATCH] [media] cx18: introduce a helper function to avoid array overrun Hans Verkuil
@ 2014-01-11 14:08 ` Andy Walls
0 siblings, 0 replies; 2+ messages in thread
From: Andy Walls @ 2014-01-11 14:08 UTC (permalink / raw)
To: Ethan Zhao; +Cc: Hans Verkuil, hans.verkuil, m.chehab, gregkh, linux-media
On Fri, 2014-01-10 at 14:06 +0100, Hans Verkuil wrote:
> Also CC to linux-media and Andy Walls who maintains this driver.
>
> Regards,
>
> Hans
>
> On 01/06/14 16:07, Ethan Zhao wrote:
> > cx18_i2c_register() is called in cx18_init_subdevs() with index
> > greater than length of hw_bus array, that will cause array overrun,
> > introduce a helper cx18_get_max_bus_num() to avoid it.
> >
> > V2: fix a typo and use ARRAY_SIZE macro
> >
> > Signed-off-by: Ethan Zhao <ethan.kernel@gmail.com>
Hi Ethan,
There is no need for this change. See below.
> > ---
> > drivers/media/pci/cx18/cx18-driver.c | 2 +-
> > drivers/media/pci/cx18/cx18-i2c.c | 5 +++++
> > drivers/media/pci/cx18/cx18-i2c.h | 1 +
> > 3 files changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/media/pci/cx18/cx18-driver.c b/drivers/media/pci/cx18/cx18-driver.c
> > index 6386ced..dadcd4a 100644
> > --- a/drivers/media/pci/cx18/cx18-driver.c
> > +++ b/drivers/media/pci/cx18/cx18-driver.c
> > @@ -856,7 +856,7 @@ static void cx18_init_subdevs(struct cx18 *cx)
> > u32 device;
> > int i;
> >
> > - for (i = 0, device = 1; i < 32; i++, device <<= 1) {
> > + for (i = 0, device = 1; i < cx18_get_max_bus_num(); i++, device <<= 1) {
> >
> > if (!(device & hw))
> > continue;
This check of "!(device & hw)" already does the bounds check. Card
specific, I2C device presence flags are statically compiled into the
driver in cx18-cards.c and are used in this check.
The ivtv driver does the same sort of check in
ivtv-driver.c:ivtv_load_and_init_modules().
Both the cx18 and ivtv drivers are very mature, so I don't want any
unecessary code churn in them to address non-problems.
Regards,
Andy
> > diff --git a/drivers/media/pci/cx18/cx18-i2c.c b/drivers/media/pci/cx18/cx18-i2c.c
> > index 4af8cd6..1a7b49b 100644
> > --- a/drivers/media/pci/cx18/cx18-i2c.c
> > +++ b/drivers/media/pci/cx18/cx18-i2c.c
> > @@ -108,6 +108,11 @@ static int cx18_i2c_new_ir(struct cx18 *cx, struct i2c_adapter *adap, u32 hw,
> > -1 : 0;
> > }
> >
> > +int cx18_get_max_bus_num(void)
> > +{
> > + return ARRAY_SIZE(hw_bus);
> > +}
> > +
> > int cx18_i2c_register(struct cx18 *cx, unsigned idx)
> > {
> > struct v4l2_subdev *sd;
> > diff --git a/drivers/media/pci/cx18/cx18-i2c.h b/drivers/media/pci/cx18/cx18-i2c.h
> > index 1180fdc..6f2ceb5 100644
> > --- a/drivers/media/pci/cx18/cx18-i2c.h
> > +++ b/drivers/media/pci/cx18/cx18-i2c.h
> > @@ -21,6 +21,7 @@
> > * 02111-1307 USA
> > */
> >
> > +int cx18_get_max_bus_num(void);
> > int cx18_i2c_register(struct cx18 *cx, unsigned idx);
> > struct v4l2_subdev *cx18_find_hw(struct cx18 *cx, u32 hw);
> >
> >
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-01-11 14:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1389020826-807-1-git-send-email-ethan.kernel@gmail.com>
2014-01-10 13:06 ` [PATCH] [media] cx18: introduce a helper function to avoid array overrun Hans Verkuil
2014-01-11 14:08 ` Andy Walls
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox