diff options
author | Ralph Loader <suckfish@ihug.co.nz> | 2008-09-22 20:06:48 -0400 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@redhat.com> | 2008-10-04 22:04:32 -0400 |
commit | fe6c700ff34e68e1eb7991e9c5d18986d0005ac1 (patch) | |
tree | fcadc38da2054f3d9b25ad3ceb0d89148adcbdd5 /drivers/media/video/uvc/uvc_ctrl.c | |
parent | bda1cda54b7e1654e9416fec76e6342847b25216 (diff) |
V4L/DVB (9053): fix buffer overflow in uvc-video
There is a buffer overflow in drivers/media/video/uvc/uvc_ctrl.c:
INFO: 0xf2c5ce08-0xf2c5ce0b. First byte 0xa1 instead of 0xcc
INFO: Allocated in uvc_query_v4l2_ctrl+0x3c/0x239 [uvcvideo] age=13 cpu=1 pid=4975
...
A fixed size 8-byte buffer is allocated, and a variable size field is read
into it; there is no particular bound on the size of the field (it is
dependent on hardware and configuration) and it can overflow [also
verified by inserting printk's.]
The patch attempts to size the buffer to the correctly.
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Laurent Pinchart <laurent.pinchart@skynet.be>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'drivers/media/video/uvc/uvc_ctrl.c')
-rw-r--r-- | drivers/media/video/uvc/uvc_ctrl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/video/uvc/uvc_ctrl.c b/drivers/media/video/uvc/uvc_ctrl.c index 6ef3e5297de8..feab12aa2c7b 100644 --- a/drivers/media/video/uvc/uvc_ctrl.c +++ b/drivers/media/video/uvc/uvc_ctrl.c | |||
@@ -592,7 +592,7 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device *video, | |||
592 | if (ctrl == NULL) | 592 | if (ctrl == NULL) |
593 | return -EINVAL; | 593 | return -EINVAL; |
594 | 594 | ||
595 | data = kmalloc(8, GFP_KERNEL); | 595 | data = kmalloc(ctrl->info->size, GFP_KERNEL); |
596 | if (data == NULL) | 596 | if (data == NULL) |
597 | return -ENOMEM; | 597 | return -ENOMEM; |
598 | 598 | ||