From patchwork Sun Jun  2 21:24:24 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gianluca Gennari <gennarone@gmail.com>
X-Patchwork-Id: 18743
Received: from mail.tu-berlin.de ([130.149.7.33])
	by www.linuxtv.org with esmtp (Exim 4.72)
	(envelope-from <linux-media-owner@vger.kernel.org>)
	id 1UjFlu-0007Qp-6V; Sun, 02 Jun 2013 23:25:02 +0200
X-tubIT-Incoming-IP: 209.132.180.67
Received: from vger.kernel.org ([209.132.180.67])
	by mail.tu-berlin.de (exim-4.72/mailfrontend-8) with esmtp
	id 1UjFls-0005Yg-jA; Sun, 02 Jun 2013 23:25:01 +0200
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753845Ab3FBVY5 (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other);
	Sun, 2 Jun 2013 17:24:57 -0400
Received: from mail-wi0-f173.google.com ([209.85.212.173]:56480 "EHLO
	mail-wi0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753527Ab3FBVY5 (ORCPT
	<rfc822; linux-media@vger.kernel.org>); Sun, 2 Jun 2013 17:24:57 -0400
Received: by mail-wi0-f173.google.com with SMTP id hi5so2120564wib.0
	for <linux-media@vger.kernel.org>;
	Sun, 02 Jun 2013 14:24:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer;
	bh=Jj59O77xXnzz64HpDcEPtvn88jzUKIiLxsK9oPKKglM=;
	b=oA7secjXfuGseLaOloM9W3nkRZulZhUAY+WddwaB0IHxjZz/ziqJZsUR1WoMXvr/rD
	QfeRH3L59WcITytioc4HN24OxQbJ2JYlYfgf5bLBpQ4yBcNCwJQ9J1CHKXH8Ll1cxHs0
	rmix8iWMh8uzn85121FzKKLUgSsqc7k9xlJUq9s0QMagpwmHapg0CUFSWcmTj/GOdnfI
	tbGJgnZsFxTEFZzm9Xh/Nv76WcXjhCCyza54uqXnd1qTIatBhUCveWCHix+QrYdqncYa
	x4aWfTAHC0Ps7YEUL5Wq3kp7TlvWOeTR05G4rPOPLDb+gFEEErsA4Asa01V341PZw9Zx
	z8ag==
X-Received: by 10.180.90.43 with SMTP id bt11mr10025509wib.30.1370208296081;
	Sun, 02 Jun 2013 14:24:56 -0700 (PDT)
Received: from localhost.localdomain (93-50-34-119.ip150.fastwebnet.it.
	[93.50.34.119]) by mx.google.com with ESMTPSA id
	m3sm19309277wij.5.2013.06.02.14.24.54 for <multiple recipients>
	(version=TLSv1 cipher=RC4-SHA bits=128/128);
	Sun, 02 Jun 2013 14:24:55 -0700 (PDT)
From: Gianluca Gennari <gennarone@gmail.com>
To: linux-media@vger.kernel.org, mchehab@redhat.com, crope@iki.fi
Cc: mkrufky@linuxtv.org, Gianluca Gennari <gennarone@gmail.com>
Subject: [PATCH v2] rtl28xxu: fix buffer overflow when probing Rafael Micro
	r820t tuner
Date: Sun,  2 Jun 2013 23:24:24 +0200
Message-Id: <1370208264-10276-1-git-send-email-gennarone@gmail.com>
X-Mailer: git-send-email 1.8.3
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409,
	Antispam-Data: 2013.6.2.211821
X-PMX-Spam: Gauge=XI, Probability=11%, Report='
	HASHBUSTER_BLOCK_V2 0.5, FORGED_FROM_GMAIL 0.1, MULTIPLE_RCPTS 0.1,
	HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0,
	BODY_SIZE_1500_1599 0, BODY_SIZE_2000_LESS 0,
	BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DKIM_SIGNATURE 0,
	URI_ENDS_IN_HTML 0, __ANY_URI 0, __CP_URI_IN_BODY 0,
	__FRAUD_BODY_WEBMAIL 0, __FRAUD_WEBMAIL 0,
	__FRAUD_WEBMAIL_FROM 0, __FROM_GMAIL 0,
	__HASHBUSTER_BLOCK_V2_1 0, __HAS_FROM 0, __HAS_MSGID 0,
	__HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0, __MIME_TEXT_ONLY 0,
	__MULTIPLE_RCPTS_CC_X2 0, __PHISH_SPEAR_STRUCTURE_1 0,
	__SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0,
	__TO_NO_NAME 0, __URI_NO_WWW 0, __URI_NS , __YOUTUBE_RCVD 0'

As suggested by Antti, this patch replaces:
https://patchwork.kernel.org/patch/2649861/

The buffer overflow is fixed by reading only the r820t ID register.

Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
Acked-by: Antti Palosaari <crope@iki.fi>
Reviewed-by: Antti Palosaari <crope@iki.fi>
---
 drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
index 22015fe..2cc8ec7 100644
--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
@@ -376,7 +376,7 @@ static int rtl2832u_read_config(struct dvb_usb_device *d)
 	struct rtl28xxu_req req_mxl5007t = {0xd9c0, CMD_I2C_RD, 1, buf};
 	struct rtl28xxu_req req_e4000 = {0x02c8, CMD_I2C_RD, 1, buf};
 	struct rtl28xxu_req req_tda18272 = {0x00c0, CMD_I2C_RD, 2, buf};
-	struct rtl28xxu_req req_r820t = {0x0034, CMD_I2C_RD, 5, buf};
+	struct rtl28xxu_req req_r820t = {0x0034, CMD_I2C_RD, 1, buf};
 
 	dev_dbg(&d->udev->dev, "%s:\n", __func__);
 
@@ -481,9 +481,9 @@ static int rtl2832u_read_config(struct dvb_usb_device *d)
 		goto found;
 	}
 
-	/* check R820T by reading tuner stats at I2C addr 0x1a */
+	/* check R820T ID register; reg=00 val=69 */
 	ret = rtl28xxu_ctrl_msg(d, &req_r820t);
-	if (ret == 0) {
+	if (ret == 0 && buf[0] == 0x69) {
 		priv->tuner = TUNER_RTL2832_R820T;
 		priv->tuner_name = "R820T";
 		goto found;