From patchwork Mon May 6 15:44:37 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gianluca Gennari X-Patchwork-Id: 18307 X-Patchwork-Delegate: mkrufky@linuxtv.org Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.72) (envelope-from ) id 1UZNbT-0003NE-P8; Mon, 06 May 2013 17:45:27 +0200 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.72/mailfrontend-8) with esmtp id 1UZNbR-0002yV-lz; Mon, 06 May 2013 17:45:27 +0200 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755397Ab3EFPpV (ORCPT + 1 other); Mon, 6 May 2013 11:45:21 -0400 Received: from mail-ee0-f46.google.com ([74.125.83.46]:42954 "EHLO mail-ee0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753830Ab3EFPpR (ORCPT ); Mon, 6 May 2013 11:45:17 -0400 Received: by mail-ee0-f46.google.com with SMTP id b57so1805955eek.5 for ; Mon, 06 May 2013 08:45:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to :references; bh=0dDRgFK8p54P8yGRXbGdO7nLGVWYJxZKuGbFY9UdSaw=; b=IniSM4vQ8CFLgQTAPOElJ5NUWC4Lr5qB5ugVjHHU6kRPUZBZAs2goO27OGeVHKVL1Q ItPkqI8x96/2492oRzjkUHiXIALY894JV0T5hUkhSNg45Unph/kp9oVbUv+1Fw4A1w7E CcCiLm64Qij3Tk7NVoSKLK1oejv0D0abNzbM+DE4wmL13o7/pKg+nf9xdXLt2CQUn/WE euTO3iE5FRyHVMKDtb8xsqgskw3Ove4N6PQWv8ciJEPfAOmEd6O2UFGg9t4hfe60fE6c T7G41YdyOdMx9DkeMIlel9B8QQB8ePSMJGv9971Y69reH8yru1ogzcLfNjRuMSKcvhtN kDxQ== X-Received: by 10.14.106.200 with SMTP id m48mr62055118eeg.17.1367855116478; Mon, 06 May 2013 08:45:16 -0700 (PDT) Received: from localhost.localdomain (93-50-34-119.ip150.fastwebnet.it. [93.50.34.119]) by mx.google.com with ESMTPSA id x41sm25331914eey.17.2013.05.06.08.45.14 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 06 May 2013 08:45:15 -0700 (PDT) From: Gianluca Gennari To: linux-media@vger.kernel.org, mchehab@redhat.com Cc: Gianluca Gennari Subject: [PATCH 3/3] r820t: avoid potential memcpy buffer overflow in shadow_store() Date: Mon, 6 May 2013 17:44:37 +0200 Message-Id: <1367855077-6134-4-git-send-email-gennarone@gmail.com> X-Mailer: git-send-email 1.8.2.2 In-Reply-To: <1367855077-6134-1-git-send-email-gennarone@gmail.com> References: <1367855077-6134-1-git-send-email-gennarone@gmail.com> Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2013.5.6.153317 X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' FORGED_FROM_GMAIL 0.1, HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_LESS 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, BODY_SIZE_900_999 0, DKIM_SIGNATURE 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __CP_URI_IN_BODY 0, __FRAUD_BODY_WEBMAIL 0, __FRAUD_WEBMAIL 0, __FRAUD_WEBMAIL_FROM 0, __FROM_GMAIL 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __PHISH_SPEAR_STRUCTURE_1 0, __SANE_MSGID 0, __STOCK_PHRASE_7 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NO_WWW 0, __URI_NS , __YOUTUBE_RCVD 0' The memcpy in shadow_store() could exceed buffer limits when r > 0. Signed-off-by: Gianluca Gennari --- drivers/media/tuners/r820t.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c index d8fd16a..2d6d498 100644 --- a/drivers/media/tuners/r820t.c +++ b/drivers/media/tuners/r820t.c @@ -364,8 +364,8 @@ static void shadow_store(struct r820t_priv *priv, u8 reg, const u8 *val, } if (len <= 0) return; - if (len > NUM_REGS) - len = NUM_REGS; + if (len > NUM_REGS - r) + len = NUM_REGS - r; tuner_dbg("%s: prev reg=%02x len=%d: %*ph\n", __func__, r + REG_SHADOW_START, len, len, val);