From 2430f4b080751c5fc9f242c1db60ab638fb7a9db Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Sun, 17 Jul 2011 00:24:37 -0300 Subject: [PATCH] si4713-i2c: avoid potential buffer overflow on si4713, CVE-2011-2700 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit BugLink: http://bugs.launchpad.net/bugs/844370 CVE-2011-2700 While compiling it with Fedora 15, I noticed this issue: inlined from ‘si4713_write_econtrol_string’ at drivers/media/radio/si4713-i2c.c:1065:24: arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct Cc: stable@kernel.org Signed-off-by: Mauro Carvalho Chehab Acked-by: Sakari Ailus Acked-by: Eduardo Valentin Reviewed-by: Eugene Teo Signed-off-by: Linus Torvalds (cherry picked from commit dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6) Signed-off-by: Andy Whitcroft Acked-by: Stefan Bader Signed-off-by: Tim Gardner --- drivers/media/radio/si4713-i2c.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/radio/si4713-i2c.c b/drivers/media/radio/si4713-i2c.c index 0fab6f8..924445a 100644 --- a/drivers/media/radio/si4713-i2c.c +++ b/drivers/media/radio/si4713-i2c.c @@ -1033,7 +1033,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev, char ps_name[MAX_RDS_PS_NAME + 1]; len = control->size - 1; - if (len > MAX_RDS_PS_NAME) { + if (len < 0 || len > MAX_RDS_PS_NAME) { rval = -ERANGE; goto exit; } @@ -1057,7 +1057,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev, char radio_text[MAX_RDS_RADIO_TEXT + 1]; len = control->size - 1; - if (len > MAX_RDS_RADIO_TEXT) { + if (len < 0 || len > MAX_RDS_RADIO_TEXT) { rval = -ERANGE; goto exit; } -- 1.7.10.4