From f7ea703f977df67b32fa86271669d8d4a5d3ce7f Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Thu, 18 Jun 2009 11:11:57 +0000 Subject: zl10353 and qt1010: fix stack corruption bug From: Jan Nikitenko Fixes stack corruption bug present in dump_regs function of zl10353 and qt1010 drivers: the buffer buf was one byte smaller than required - there are 4 chars for address prefix, 16 * 3 chars for dump of 16 eeprom bytes per line and 1 byte for zero ending the string required, i.e. 53 bytes, but only 52 were provided. The one byte missing in stack based buffer buf can cause stack corruption possibly leading to kernel oops, as discovered originally with af9015 driver (af9015: fix stack corruption bug). Signed-off-by: Jan Nikitenko Signed-off-by: Mauro Carvalho Chehab --- linux/drivers/media/common/tuners/qt1010.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'linux/drivers/media/common/tuners/qt1010.c') diff --git a/linux/drivers/media/common/tuners/qt1010.c b/linux/drivers/media/common/tuners/qt1010.c index 4afed44ab..d877c59a7 100644 --- a/linux/drivers/media/common/tuners/qt1010.c +++ b/linux/drivers/media/common/tuners/qt1010.c @@ -65,24 +65,22 @@ static int qt1010_writereg(struct qt1010_priv *priv, u8 reg, u8 val) /* dump all registers */ static void qt1010_dump_regs(struct qt1010_priv *priv) { - char buf[52], buf2[4]; u8 reg, val; for (reg = 0; ; reg++) { if (reg % 16 == 0) { if (reg) - printk("%s\n", buf); - sprintf(buf, "%02x: ", reg); + printk(KERN_CONT "\n"); + printk(KERN_DEBUG "%02x:", reg); } if (qt1010_readreg(priv, reg, &val) == 0) - sprintf(buf2, "%02x ", val); + printk(KERN_CONT " %02x", val); else - strcpy(buf2, "-- "); - strcat(buf, buf2); + printk(KERN_CONT " --"); if (reg == 0x2f) break; } - printk("%s\n", buf); + printk(KERN_CONT "\n"); } static int qt1010_set_params(struct dvb_frontend *fe, -- cgit v1.2.3