]> pilppa.com Git - linux-2.6-omap-h63xx.git/commitdiff
V4L/DVB (9053): fix buffer overflow in uvc-video
authorRalph Loader <suckfish@ihug.co.nz>
Tue, 23 Sep 2008 00:06:48 +0000 (21:06 -0300)
committerMauro Carvalho Chehab <mchehab@redhat.com>
Sun, 5 Oct 2008 02:04:32 +0000 (23:04 -0300)
There is a buffer overflow in drivers/media/video/uvc/uvc_ctrl.c:

INFO: 0xf2c5ce08-0xf2c5ce0b. First byte 0xa1 instead of 0xcc
INFO: Allocated in uvc_query_v4l2_ctrl+0x3c/0x239 [uvcvideo] age=13 cpu=1 pid=4975
...

A fixed size 8-byte buffer is allocated, and a variable size field is read
into it; there is no particular bound on the size of the field (it is
dependent on hardware and configuration) and it can overflow [also
verified by inserting printk's.]

The patch attempts to size the buffer to the correctly.

Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Laurent Pinchart <laurent.pinchart@skynet.be>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
drivers/media/video/uvc/uvc_ctrl.c

index 6ef3e5297de8c085cbeaa70a2ff628bba1b524dc..feab12aa2c7b5e9c0efb030a7eb1551611dbc766 100644 (file)
@@ -592,7 +592,7 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device *video,
        if (ctrl == NULL)
                return -EINVAL;
 
-       data = kmalloc(8, GFP_KERNEL);
+       data = kmalloc(ctrl->info->size, GFP_KERNEL);
        if (data == NULL)
                return -ENOMEM;