This is a note to let you know that I've just added the patch titled
si4713-i2c: avoid potential buffer overflow on si4713
to the 2.6.32-longterm tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/longterm/longterm-queue-2.6.32.git;a=summary
The filename of the patch is:
si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
and it can be found in the queue-2.6.32 subdirectory.
If you, or anyone else, feels it should not be added to the 2.6.32 longterm
tree,
please let <sta...@kernel.org> know about it.
>From dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 Mon Sep 17 00:00:00 2001
From: Mauro Carvalho Chehab <mche...@redhat.com>
Date: Sun, 17 Jul 2011 00:24:37 -0300
Subject: si4713-i2c: avoid potential buffer overflow on si4713
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Mauro Carvalho Chehab <mche...@redhat.com>
commit dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 upstream.
While compiling it with Fedora 15, I noticed this issue:
inlined from âsi4713_write_econtrol_stringâ at
drivers/media/radio/si4713-i2c.c:1065:24:
arch/x86/include/asm/uaccess_32.h:211:26: error: call to
âcopy_from_user_overflowâ declared with attribute error: copy_from_user()
buffer size is not provably correct
Signed-off-by: Mauro Carvalho Chehab <mche...@redhat.com>
Acked-by: Sakari Ailus <sakari.ai...@maxwell.research.nokia.com>
Acked-by: Eduardo Valentin <edubez...@gmail.com>
Reviewed-by: Eugene Teo <eugene...@kernel.sg>
Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
drivers/media/radio/si4713-i2c.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/radio/si4713-i2c.c
+++ b/drivers/media/radio/si4713-i2c.c
@@ -1003,7 +1003,7 @@ static int si4713_write_econtrol_string(
char ps_name[MAX_RDS_PS_NAME + 1];
len = control->size - 1;
- if (len > MAX_RDS_PS_NAME) {
+ if (len < 0 || len > MAX_RDS_PS_NAME) {
rval = -ERANGE;
goto exit;
}
@@ -1025,7 +1025,7 @@ static int si4713_write_econtrol_string(
char radio_text[MAX_RDS_RADIO_TEXT + 1];
len = control->size - 1;
- if (len > MAX_RDS_RADIO_TEXT) {
+ if (len < 0 || len > MAX_RDS_RADIO_TEXT) {
rval = -ERANGE;
goto exit;
}
Patches currently in longterm-queue-2.6.32 which might be from
mche...@redhat.com are
/home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
/home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/pvrusb2-fix-g-s_tuner-support.patch
/home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/bttv-fix-s_tuner-for-radio.patch
/home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/v4l2-ioctl.c-prefill-tuner-type-for-g_frequency-and.patch
_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable
