Commit 458f9aa3 authored by Jan Nikitenko's avatar Jan Nikitenko Committed by Mauro Carvalho Chehab

V4L/DVB (12341): zl10353 and qt1010: fix stack corruption bug

Fixes stack corruption bug present in dump_regs function of zl10353 and
qt1010 drivers: the buffer buf was one byte smaller than required -
there are 4 chars for address prefix, 16 * 3 chars for dump of 16 eeprom
bytes per line and 1 byte for zero ending the string required, i.e. 53
bytes, but only 52 were provided.

The one byte missing in stack based buffer buf can cause stack
corruption possibly leading to kernel oops, as discovered originally
with af9015 driver (af9015: fix stack corruption bug).
Signed-off-by: default avatarJan Nikitenko <jan.nikitenko@gmail.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@redhat.com>
parent 296544e1
...@@ -64,24 +64,22 @@ static int qt1010_writereg(struct qt1010_priv *priv, u8 reg, u8 val) ...@@ -64,24 +64,22 @@ static int qt1010_writereg(struct qt1010_priv *priv, u8 reg, u8 val)
/* dump all registers */ /* dump all registers */
static void qt1010_dump_regs(struct qt1010_priv *priv) static void qt1010_dump_regs(struct qt1010_priv *priv)
{ {
char buf[52], buf2[4];
u8 reg, val; u8 reg, val;
for (reg = 0; ; reg++) { for (reg = 0; ; reg++) {
if (reg % 16 == 0) { if (reg % 16 == 0) {
if (reg) if (reg)
printk("%s\n", buf); printk(KERN_CONT "\n");
sprintf(buf, "%02x: ", reg); printk(KERN_DEBUG "%02x:", reg);
} }
if (qt1010_readreg(priv, reg, &val) == 0) if (qt1010_readreg(priv, reg, &val) == 0)
sprintf(buf2, "%02x ", val); printk(KERN_CONT " %02x", val);
else else
strcpy(buf2, "-- "); printk(KERN_CONT " --");
strcat(buf, buf2);
if (reg == 0x2f) if (reg == 0x2f)
break; break;
} }
printk("%s\n", buf); printk(KERN_CONT "\n");
} }
static int qt1010_set_params(struct dvb_frontend *fe, static int qt1010_set_params(struct dvb_frontend *fe,
......
...@@ -98,7 +98,6 @@ static int zl10353_read_register(struct zl10353_state *state, u8 reg) ...@@ -98,7 +98,6 @@ static int zl10353_read_register(struct zl10353_state *state, u8 reg)
static void zl10353_dump_regs(struct dvb_frontend *fe) static void zl10353_dump_regs(struct dvb_frontend *fe)
{ {
struct zl10353_state *state = fe->demodulator_priv; struct zl10353_state *state = fe->demodulator_priv;
char buf[52], buf2[4];
int ret; int ret;
u8 reg; u8 reg;
...@@ -106,19 +105,18 @@ static void zl10353_dump_regs(struct dvb_frontend *fe) ...@@ -106,19 +105,18 @@ static void zl10353_dump_regs(struct dvb_frontend *fe)
for (reg = 0; ; reg++) { for (reg = 0; ; reg++) {
if (reg % 16 == 0) { if (reg % 16 == 0) {
if (reg) if (reg)
printk(KERN_DEBUG "%s\n", buf); printk(KERN_CONT "\n");
sprintf(buf, "%02x: ", reg); printk(KERN_DEBUG "%02x:", reg);
} }
ret = zl10353_read_register(state, reg); ret = zl10353_read_register(state, reg);
if (ret >= 0) if (ret >= 0)
sprintf(buf2, "%02x ", (u8)ret); printk(KERN_CONT " %02x", (u8)ret);
else else
strcpy(buf2, "-- "); printk(KERN_CONT " --");
strcat(buf, buf2);
if (reg == 0xff) if (reg == 0xff)
break; break;
} }
printk(KERN_DEBUG "%s\n", buf); printk(KERN_CONT "\n");
} }
static void zl10353_calc_nominal_rate(struct dvb_frontend *fe, static void zl10353_calc_nominal_rate(struct dvb_frontend *fe,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment