[media] rtl28xxu: fix buffer overflow when probing Rafael Micro r820t tuner
authorGianluca Gennari <gennarone@gmail.com>
Sun, 2 Jun 2013 20:24:24 +0000 (17:24 -0300)
committerMauro Carvalho Chehab <mchehab@redhat.com>
Mon, 17 Jun 2013 18:25:34 +0000 (15:25 -0300)
As suggested by Antti, this patch replaces:
https://patchwork.kernel.org/patch/2649861/
The buffer overflow is fixed by reading only the r820t ID register.

Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
Acked-by: Antti Palosaari <crope@iki.fi>
Reviewed-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
drivers/media/usb/dvb-usb-v2/rtl28xxu.c

index 22015fe1a0f322580ff9be7379f12ccc7ac9124e..2cc8ec70e3b68cee498a850525973c771354eef3 100644 (file)
@@ -376,7 +376,7 @@ static int rtl2832u_read_config(struct dvb_usb_device *d)
        struct rtl28xxu_req req_mxl5007t = {0xd9c0, CMD_I2C_RD, 1, buf};
        struct rtl28xxu_req req_e4000 = {0x02c8, CMD_I2C_RD, 1, buf};
        struct rtl28xxu_req req_tda18272 = {0x00c0, CMD_I2C_RD, 2, buf};
-       struct rtl28xxu_req req_r820t = {0x0034, CMD_I2C_RD, 5, buf};
+       struct rtl28xxu_req req_r820t = {0x0034, CMD_I2C_RD, 1, buf};
 
        dev_dbg(&d->udev->dev, "%s:\n", __func__);
 
@@ -481,9 +481,9 @@ static int rtl2832u_read_config(struct dvb_usb_device *d)
                goto found;
        }
 
-       /* check R820T by reading tuner stats at I2C addr 0x1a */
+       /* check R820T ID register; reg=00 val=69 */
        ret = rtl28xxu_ctrl_msg(d, &req_r820t);
-       if (ret == 0) {
+       if (ret == 0 && buf[0] == 0x69) {
                priv->tuner = TUNER_RTL2832_R820T;
                priv->tuner_name = "R820T";
                goto found;