aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/media/dvb/frontends
diff options
context:
space:
mode:
authorJan Nikitenko <jan.nikitenko@gmail.com>2009-06-18 07:11:57 -0400
committerMauro Carvalho Chehab <mchehab@redhat.com>2009-08-13 19:39:02 -0400
commit458f9aa391efd34867f8cabac2e2f1af00cbc562 (patch)
tree72b5a9baf0ea344e36ec6db04b507dae3b4233f5 /drivers/media/dvb/frontends
parent296544e15a7126373851abd40acc526b79b91432 (diff)
V4L/DVB (12341): zl10353 and qt1010: fix stack corruption bug
Fixes stack corruption bug present in dump_regs function of zl10353 and qt1010 drivers: the buffer buf was one byte smaller than required - there are 4 chars for address prefix, 16 * 3 chars for dump of 16 eeprom bytes per line and 1 byte for zero ending the string required, i.e. 53 bytes, but only 52 were provided. The one byte missing in stack based buffer buf can cause stack corruption possibly leading to kernel oops, as discovered originally with af9015 driver (af9015: fix stack corruption bug). Signed-off-by: Jan Nikitenko <jan.nikitenko@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'drivers/media/dvb/frontends')
-rw-r--r--drivers/media/dvb/frontends/zl10353.c12
1 files changed, 5 insertions, 7 deletions
diff --git a/drivers/media/dvb/frontends/zl10353.c b/drivers/media/dvb/frontends/zl10353.c
index 148b6f7f6cb2..66f5c1fb3074 100644
--- a/drivers/media/dvb/frontends/zl10353.c
+++ b/drivers/media/dvb/frontends/zl10353.c
@@ -98,7 +98,6 @@ static int zl10353_read_register(struct zl10353_state *state, u8 reg)
98static void zl10353_dump_regs(struct dvb_frontend *fe) 98static void zl10353_dump_regs(struct dvb_frontend *fe)
99{ 99{
100 struct zl10353_state *state = fe->demodulator_priv; 100 struct zl10353_state *state = fe->demodulator_priv;
101 char buf[52], buf2[4];
102 int ret; 101 int ret;
103 u8 reg; 102 u8 reg;
104 103
@@ -106,19 +105,18 @@ static void zl10353_dump_regs(struct dvb_frontend *fe)
106 for (reg = 0; ; reg++) { 105 for (reg = 0; ; reg++) {
107 if (reg % 16 == 0) { 106 if (reg % 16 == 0) {
108 if (reg) 107 if (reg)
109 printk(KERN_DEBUG "%s\n", buf); 108 printk(KERN_CONT "\n");
110 sprintf(buf, "%02x: ", reg); 109 printk(KERN_DEBUG "%02x:", reg);
111 } 110 }
112 ret = zl10353_read_register(state, reg); 111 ret = zl10353_read_register(state, reg);
113 if (ret >= 0) 112 if (ret >= 0)
114 sprintf(buf2, "%02x ", (u8)ret); 113 printk(KERN_CONT " %02x", (u8)ret);
115 else 114 else
116 strcpy(buf2, "-- "); 115 printk(KERN_CONT " --");
117 strcat(buf, buf2);
118 if (reg == 0xff) 116 if (reg == 0xff)
119 break; 117 break;
120 } 118 }
121 printk(KERN_DEBUG "%s\n", buf); 119 printk(KERN_CONT "\n");
122} 120}
123 121
124static void zl10353_calc_nominal_rate(struct dvb_frontend *fe, 122static void zl10353_calc_nominal_rate(struct dvb_frontend *fe,