diff options
author | Jan Nikitenko <jan.nikitenko@gmail.com> | 2009-06-18 07:11:57 -0400 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@redhat.com> | 2009-08-13 19:39:02 -0400 |
commit | 458f9aa391efd34867f8cabac2e2f1af00cbc562 (patch) | |
tree | 72b5a9baf0ea344e36ec6db04b507dae3b4233f5 /drivers/media/common/tuners/qt1010.c | |
parent | 296544e15a7126373851abd40acc526b79b91432 (diff) |
V4L/DVB (12341): zl10353 and qt1010: fix stack corruption bug
Fixes stack corruption bug present in dump_regs function of zl10353 and
qt1010 drivers: the buffer buf was one byte smaller than required -
there are 4 chars for address prefix, 16 * 3 chars for dump of 16 eeprom
bytes per line and 1 byte for zero ending the string required, i.e. 53
bytes, but only 52 were provided.
The one byte missing in stack based buffer buf can cause stack
corruption possibly leading to kernel oops, as discovered originally
with af9015 driver (af9015: fix stack corruption bug).
Signed-off-by: Jan Nikitenko <jan.nikitenko@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'drivers/media/common/tuners/qt1010.c')
-rw-r--r-- | drivers/media/common/tuners/qt1010.c | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/drivers/media/common/tuners/qt1010.c b/drivers/media/common/tuners/qt1010.c index 825aa1412e6f..9f5dba244cb8 100644 --- a/drivers/media/common/tuners/qt1010.c +++ b/drivers/media/common/tuners/qt1010.c | |||
@@ -64,24 +64,22 @@ static int qt1010_writereg(struct qt1010_priv *priv, u8 reg, u8 val) | |||
64 | /* dump all registers */ | 64 | /* dump all registers */ |
65 | static void qt1010_dump_regs(struct qt1010_priv *priv) | 65 | static void qt1010_dump_regs(struct qt1010_priv *priv) |
66 | { | 66 | { |
67 | char buf[52], buf2[4]; | ||
68 | u8 reg, val; | 67 | u8 reg, val; |
69 | 68 | ||
70 | for (reg = 0; ; reg++) { | 69 | for (reg = 0; ; reg++) { |
71 | if (reg % 16 == 0) { | 70 | if (reg % 16 == 0) { |
72 | if (reg) | 71 | if (reg) |
73 | printk("%s\n", buf); | 72 | printk(KERN_CONT "\n"); |
74 | sprintf(buf, "%02x: ", reg); | 73 | printk(KERN_DEBUG "%02x:", reg); |
75 | } | 74 | } |
76 | if (qt1010_readreg(priv, reg, &val) == 0) | 75 | if (qt1010_readreg(priv, reg, &val) == 0) |
77 | sprintf(buf2, "%02x ", val); | 76 | printk(KERN_CONT " %02x", val); |
78 | else | 77 | else |
79 | strcpy(buf2, "-- "); | 78 | printk(KERN_CONT " --"); |
80 | strcat(buf, buf2); | ||
81 | if (reg == 0x2f) | 79 | if (reg == 0x2f) |
82 | break; | 80 | break; |
83 | } | 81 | } |
84 | printk("%s\n", buf); | 82 | printk(KERN_CONT "\n"); |
85 | } | 83 | } |
86 | 84 | ||
87 | static int qt1010_set_params(struct dvb_frontend *fe, | 85 | static int qt1010_set_params(struct dvb_frontend *fe, |