[PATCH] [17/50] si4713-i2c: avoid potential buffer overflow on si4713
From: Andi Kleen
Date: Thu Jul 28 2011 - 19:53:45 EST
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>
[ upstream commit dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 ]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
While compiling it with Fedora 15, I noticed this issue:
inlined from â??si4713_write_econtrol_stringâ?? at drivers/media/radio/si4713-i2c.c:1065:24:
arch/x86/include/asm/uaccess_32.h:211:26: error: call to â??copy_from_user_overflowâ?? declared with attribute error: copy_from_user() buffer size is not provably correct
Cc: stable@xxxxxxxxxx
Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>
Acked-by: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Acked-by: Eduardo Valentin <edubezval@xxxxxxxxx>
Reviewed-by: Eugene Teo <eugeneteo@xxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Andi Kleen <ak@xxxxxxxxxxxxxxx>
Index: linux-2.6.35.y/drivers/media/radio/si4713-i2c.c
===================================================================
--- linux-2.6.35.y.orig/drivers/media/radio/si4713-i2c.c
+++ linux-2.6.35.y/drivers/media/radio/si4713-i2c.c
@@ -1004,7 +1004,7 @@ static int si4713_write_econtrol_string(
char ps_name[MAX_RDS_PS_NAME + 1];
len = control->size - 1;
- if (len > MAX_RDS_PS_NAME) {
+ if (len < 0 || len > MAX_RDS_PS_NAME) {
rval = -ERANGE;
goto exit;
}
@@ -1026,7 +1026,7 @@ static int si4713_write_econtrol_string(
char radio_text[MAX_RDS_RADIO_TEXT + 1];
len = control->size - 1;
- if (len > MAX_RDS_RADIO_TEXT) {
+ if (len < 0 || len > MAX_RDS_RADIO_TEXT) {
rval = -ERANGE;
goto exit;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/