summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMauro Carvalho Chehab <mchehab@redhat.com>2011-07-17 00:24:37 -0300
committerLinus Torvalds <torvalds@linux-foundation.org>2011-07-18 09:12:21 -0700
commitdc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 (patch)
tree324e094803fe8cfcb5c36010490b92d5b6a8c174
parent524196d2ad12cfe29e15d3db7b8d678dde35b5f7 (diff)
downloadlinux-dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6.tar.gz
linux-dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6.tar.bz2
linux-dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6.zip
si4713-i2c: avoid potential buffer overflow on si4713
While compiling it with Fedora 15, I noticed this issue: inlined from ‘si4713_write_econtrol_string’ at drivers/media/radio/si4713-i2c.c:1065:24: arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct Cc: stable@kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> Acked-by: Sakari Ailus <sakari.ailus@maxwell.research.nokia.com> Acked-by: Eduardo Valentin <edubezval@gmail.com> Reviewed-by: Eugene Teo <eugeneteo@kernel.sg> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/media/radio/si4713-i2c.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/media/radio/si4713-i2c.c b/drivers/media/radio/si4713-i2c.c
index deca2e06ff22..c9f4a8e65dc4 100644
--- a/drivers/media/radio/si4713-i2c.c
+++ b/drivers/media/radio/si4713-i2c.c
@@ -1033,7 +1033,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev,
char ps_name[MAX_RDS_PS_NAME + 1];
len = control->size - 1;
- if (len > MAX_RDS_PS_NAME) {
+ if (len < 0 || len > MAX_RDS_PS_NAME) {
rval = -ERANGE;
goto exit;
}
@@ -1057,7 +1057,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev,
char radio_text[MAX_RDS_RADIO_TEXT + 1];
len = control->size - 1;
- if (len > MAX_RDS_RADIO_TEXT) {
+ if (len < 0 || len > MAX_RDS_RADIO_TEXT) {
rval = -ERANGE;
goto exit;
}