Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-10-26 15:02:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
845b978a87
linux/drivers/media
History
Mauro Carvalho Chehab 845b978a87 media: rtl28xxu: be sure that it won't go past the array size 
smatch warns that the RC query code could go past the array size:

	drivers/media/usb/dvb-usb-v2/rtl28xxu.c:1757 rtl2832u_rc_query() error: buffer overflow 'buf' 128 <= 130
	drivers/media/usb/dvb-usb-v2/rtl28xxu.c:1758 rtl2832u_rc_query() error: buffer overflow 'buf' 128 <= 130

The driver logic gets the length of the IR RX buffer with:

        ret = rtl28xxu_rd_reg(d, IR_RX_BC, &buf[0]);
	...
        len = buf[0];

In thesis, this could range between 0 and 255 [1].

While this should never happen in practice, due to hardware limits,
smatch is right when it complains about that, as there's nothing at
the logic that would prevent it. So, if for whatever reason, buf[0]
gets filled by rtl28xx read functions with a value bigger than 128,
it will go past the array.

So, add an explicit check.

[1] I've no idea why smatch thinks that the maximum value is 130.
I double-checked the code several times. Was unable to find any
reason for assuming 130. Perhaps smatch is not properly parsing
u8 here?

Fixes: b5cbaa43a6 ("[media] rtl28xx: initial support for rtl2832u")
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-08-08 10:57:14 -04:00
..
cec media: cec: add support for 5V signal testing 2018-07-25 07:11:48 -04:00
common media: dvb: represent min/max/step/tolerance freqs in Hz 2018-08-02 18:10:48 -04:00
dvb-core media: dvb_frontend: ensure that the step is ok for both FE and tuner 2018-08-02 18:11:46 -04:00
dvb-frontends media: dvb-frontends: rtl2832_sdr: Replace GFP_ATOMIC with GFP_KERNEL 2018-08-02 19:10:56 -04:00
firewire media: dvb: represent min/max/step/tolerance freqs in Hz 2018-08-02 18:10:48 -04:00
i2c media: mt9v111: avoid going past the buffer 2018-08-08 10:57:14 -04:00
mmc media: siano: use GFP_DMA only for smssdio 2018-05-15 08:04:42 -04:00
pci media: sta2x11: add a missing parameter description 2018-08-07 06:13:36 -04:00
platform media: vsp1_dl: add a description for cmdpool field 2018-08-08 10:57:11 -04:00
radio media: si4713: don't check number of messages in the driver 2018-07-27 06:39:57 -04:00
rc media: bpf: ensure bpf program is freed on detach 2018-07-13 11:07:29 -04:00
spi media: cxd2880-spi: Modified how to declare structure 2018-05-05 10:37:12 -04:00
tuners media: dvb: represent min/max/step/tolerance freqs in Hz 2018-08-02 18:10:48 -04:00
usb media: rtl28xxu: be sure that it won't go past the array size 2018-08-08 10:57:14 -04:00
v4l2-core media: v4l2-mem2mem: add descriptions to MC fields 2018-08-07 06:10:16 -04:00
Kconfig media: cec: Kconfig coding style issue 2018-05-09 16:26:50 -04:00
Makefile
media-device.c media: media.h: remove linux/version.h include 2018-07-27 07:52:39 -04:00
media-devnode.c
media-entity.c