From patchwork Sun Jun  2 18:56:04 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gianluca Gennari <gennarone@gmail.com>
X-Patchwork-Id: 18742
Received: from mail.tu-berlin.de ([130.149.7.33])
	by www.linuxtv.org with esmtp (Exim 4.72)
	(envelope-from <linux-media-owner@vger.kernel.org>)
	id 1UjDSX-0004DR-Od; Sun, 02 Jun 2013 20:56:53 +0200
X-tubIT-Incoming-IP: 209.132.180.67
Received: from vger.kernel.org ([209.132.180.67])
	by mail.tu-berlin.de (exim-4.72/mailfrontend-7) with esmtp
	id 1UjDSV-0006oG-32; Sun, 02 Jun 2013 20:56:53 +0200
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754979Ab3FBS4u (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other);
	Sun, 2 Jun 2013 14:56:50 -0400
Received: from mail-we0-f170.google.com ([74.125.82.170]:63302 "EHLO
	mail-we0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754893Ab3FBS4t (ORCPT
	<rfc822; linux-media@vger.kernel.org>); Sun, 2 Jun 2013 14:56:49 -0400
Received: by mail-we0-f170.google.com with SMTP id w57so1075712wes.15
	for <linux-media@vger.kernel.org>;
	Sun, 02 Jun 2013 11:56:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer;
	bh=VZQX3jEyNcu0YLah1QE9T8b2BwDC9H3hVyzKfAKvI8M=;
	b=g35A+EmBeq6MzBRxveVJHXe9lS7tnRm6nx8SVEnRq+KPj+WxLLkjplXAO5KTBdHhRI
	1Eoe9KPKd7kRzti7WMT8JYB6GCMFBLTWR5z+GA2xlYrHsw9knef2UcgrDMAJVk98uMbf
	gKXZjOUIWSpjneS0pZt1NtQTWeGiTROBGq5QJTudWZ5757OoCKKixCVGWJ3etWUcli6M
	+1bzU/1Y+uKRlDWp1cFWyqEbZNdKgB3BhiHUrRe5crlpBQBu0chH3dYW3le0mg+3vXFK
	SP/yKrxSV3XVZ48fvbUTW8V4Fyap1lNnrq8z00qJl/GsJz1bHedAGeAAY+zAmVljAG58
	A4oQ==
X-Received: by 10.180.205.177 with SMTP id
	lh17mr10101587wic.45.1370199408468;
	Sun, 02 Jun 2013 11:56:48 -0700 (PDT)
Received: from localhost.localdomain (93-50-34-119.ip150.fastwebnet.it.
	[93.50.34.119]) by mx.google.com with ESMTPSA id
	k10sm18492061wia.4.2013.06.02.11.56.46 for <multiple recipients>
	(version=TLSv1 cipher=RC4-SHA bits=128/128);
	Sun, 02 Jun 2013 11:56:47 -0700 (PDT)
From: Gianluca Gennari <gennarone@gmail.com>
To: linux-media@vger.kernel.org, mchehab@redhat.com, crope@iki.fi
Cc: mkrufky@linuxtv.org, Gianluca Gennari <gennarone@gmail.com>
Subject: [PATCH] rtl28xxu: fix buffer overflow when probing Rafael Micro
	r820t tuner
Date: Sun,  2 Jun 2013 20:56:04 +0200
Message-Id: <1370199364-30060-1-git-send-email-gennarone@gmail.com>
X-Mailer: git-send-email 1.8.3
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409,
	Antispam-Data: 2013.6.2.184518
X-PMX-Spam: Gauge=IIIIIIIII, Probability=9%, Report='
	FORGED_FROM_GMAIL 0.1, MULTIPLE_RCPTS 0.1, HTML_00_01 0.05,
	HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0,
	BODY_SIZE_1300_1399 0, BODY_SIZE_2000_LESS 0,
	BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DKIM_SIGNATURE 0,
	URI_ENDS_IN_HTML 0, __ANY_URI 0, __CP_URI_IN_BODY 0,
	__FRAUD_BODY_WEBMAIL 0, __FRAUD_WEBMAIL 0,
	__FRAUD_WEBMAIL_FROM 0, __FROM_GMAIL 0, __HAS_FROM 0,
	__HAS_MSGID 0, __HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0,
	__MIME_TEXT_ONLY 0, __MULTIPLE_RCPTS_CC_X2 0,
	__PHISH_SPEAR_STRUCTURE_1 0, __SANE_MSGID 0,
	__SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0,
	__URI_NO_WWW 0, __URI_NS , __YOUTUBE_RCVD 0'

req_r820t wants a buffer with a size of 5 bytes, but the buffer 'buf'
has a size of 2 bytes.

This patch fixes the kernel oops with the r820t driver on old kernels
during the probe stage.
Successfully tested on a 2.6.32 32 bit kernel (Ubuntu 10.04).
Hopefully it will also help with the random stability issues reported
by some user on the linux-media list.

This patch and https://patchwork.kernel.org/patch/2524651/
should go in the next 3.10-rc release, as they fix potential kernel crashes.

Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
---
 drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
index 22015fe..48f2e6f 100644
--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
@@ -360,7 +360,7 @@ static int rtl2832u_read_config(struct dvb_usb_device *d)
 {
 	struct rtl28xxu_priv *priv = d_to_priv(d);
 	int ret;
-	u8 buf[2];
+	u8 buf[5];
 	/* open RTL2832U/RTL2832 I2C gate */
 	struct rtl28xxu_req req_gate_open = {0x0120, 0x0011, 0x0001, "\x18"};
 	/* close RTL2832U/RTL2832 I2C gate */