diff options
| author | Mauro Carvalho Chehab <mchehab@redhat.com> | 2008-09-23 00:06:48 +0000 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@redhat.com> | 2008-09-23 00:06:48 +0000 |
| commit | 64c3e9edd4ec8939176b23508522c913333d4464 (patch) | |
| tree | 48dbc6b69647b6badbc6f5131ada7896d6180147 /linux/drivers/media/video/uvc/uvc_ctrl.c | |
| parent | a1f53ac56a039de903a6fccf8da11f48110f0c63 (diff) | |
| download | mediapointer-dvb-s2-64c3e9edd4ec8939176b23508522c913333d4464.tar.gz mediapointer-dvb-s2-64c3e9edd4ec8939176b23508522c913333d4464.tar.bz2 | |
fix buffer overflow in uvc-video
From: Ralph Loader <suckfish@ihug.co.nz>
There is a buffer overflow in drivers/media/video/uvc/uvc_ctrl.c:
INFO: 0xf2c5ce08-0xf2c5ce0b. First byte 0xa1 instead of 0xcc
INFO: Allocated in uvc_query_v4l2_ctrl+0x3c/0x239 [uvcvideo] age=13 cpu=1 pid=4975
...
A fixed size 8-byte buffer is allocated, and a variable size field is read
into it; there is no particular bound on the size of the field (it is
dependent on hardware and configuration) and it can overflow [also
verified by inserting printk's.]
The patch attempts to size the buffer to the correctly.
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Laurent Pinchart <laurent.pinchart@skynet.be>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'linux/drivers/media/video/uvc/uvc_ctrl.c')
| -rw-r--r-- | linux/drivers/media/video/uvc/uvc_ctrl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/linux/drivers/media/video/uvc/uvc_ctrl.c b/linux/drivers/media/video/uvc/uvc_ctrl.c index b66c95ffd..f16aafe9c 100644 --- a/linux/drivers/media/video/uvc/uvc_ctrl.c +++ b/linux/drivers/media/video/uvc/uvc_ctrl.c @@ -718,7 +718,7 @@ int uvc_query_v4l2_ctrl(struct uvc_video_device *video, if (ctrl == NULL) return -EINVAL; - data = kmalloc(8, GFP_KERNEL); + data = kmalloc(ctrl->info->size, GFP_KERNEL); if (data == NULL) return -ENOMEM; |