* ascot2e.c off by one bug
@ 2016-05-28 9:28 Saso Slavicic
2016-05-28 10:11 ` Antti Palosaari
0 siblings, 1 reply; 2+ messages in thread
From: Saso Slavicic @ 2016-05-28 9:28 UTC (permalink / raw)
To: linux-media
Hi,
Tuning a card with Sony ASCOT2E produces the following error:
kernel: i2c i2c-9: wr reg=0006: len=11 is too big!
MAX_WRITE_REGSIZE is defined as 10, buf[MAX_WRITE_REGSIZE + 1] buffer is
used in ascot2e_write_regs().
The problem is that exactly 10 bytes are written in ascot2e_set_params():
/* Set BW_OFFSET (0x0F) value from parameter table */
data[9] = ascot2e_sett[tv_system].bw_offset;
ascot2e_write_regs(priv, 0x06, data, 10);
The test in write_regs is as follows:
if (len + 1 >= sizeof(buf))
10 + 1 = 11 and that would be exactly the size of buf. Since 10 bytes +
buf[0] = reg would seem to fit into buf[], this shouldn't be an error.
The following patch fixes the problem for me, I have tested the card and it
seems to be working fine.
---
drivers/media/dvb-frontends/ascot2e.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/media/dvb-frontends/ascot2e.c
b/drivers/media/dvb-frontends/ascot2e.c
--- a/drivers/media/dvb-frontends/ascot2e.c
+++ b/drivers/media/dvb-frontends/ascot2e.c
@@ -132,7 +132,7 @@ static int ascot2e_write_regs(struct ascot2e_priv *priv,
}
};
- if (len + 1 >= sizeof(buf)) {
+ if (len + 1 > sizeof(buf)) {
dev_warn(&priv->i2c->dev,"wr reg=%04x: len=%d is too
big!\n",
reg, len + 1);
return -E2BIG;
Regards,
Saso Slavicic
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: ascot2e.c off by one bug
2016-05-28 9:28 ascot2e.c off by one bug Saso Slavicic
@ 2016-05-28 10:11 ` Antti Palosaari
0 siblings, 0 replies; 2+ messages in thread
From: Antti Palosaari @ 2016-05-28 10:11 UTC (permalink / raw)
To: Saso Slavicic, linux-media
Convert it to regmap at the same (just a hint...)
On 05/28/2016 12:28 PM, Saso Slavicic wrote:
> Hi,
>
> Tuning a card with Sony ASCOT2E produces the following error:
>
> kernel: i2c i2c-9: wr reg=0006: len=11 is too big!
>
> MAX_WRITE_REGSIZE is defined as 10, buf[MAX_WRITE_REGSIZE + 1] buffer is
> used in ascot2e_write_regs().
>
> The problem is that exactly 10 bytes are written in ascot2e_set_params():
>
> /* Set BW_OFFSET (0x0F) value from parameter table */
> data[9] = ascot2e_sett[tv_system].bw_offset;
> ascot2e_write_regs(priv, 0x06, data, 10);
>
> The test in write_regs is as follows:
>
> if (len + 1 >= sizeof(buf))
>
> 10 + 1 = 11 and that would be exactly the size of buf. Since 10 bytes +
> buf[0] = reg would seem to fit into buf[], this shouldn't be an error.
>
> The following patch fixes the problem for me, I have tested the card and it
> seems to be working fine.
>
> ---
> drivers/media/dvb-frontends/ascot2e.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/media/dvb-frontends/ascot2e.c
> b/drivers/media/dvb-frontends/ascot2e.c
> --- a/drivers/media/dvb-frontends/ascot2e.c
> +++ b/drivers/media/dvb-frontends/ascot2e.c
> @@ -132,7 +132,7 @@ static int ascot2e_write_regs(struct ascot2e_priv *priv,
> }
> };
>
> - if (len + 1 >= sizeof(buf)) {
> + if (len + 1 > sizeof(buf)) {
> dev_warn(&priv->i2c->dev,"wr reg=%04x: len=%d is too
> big!\n",
> reg, len + 1);
> return -E2BIG;
>
> Regards,
> Saso Slavicic
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-media" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
http://palosaari.fi/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-05-28 10:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-28 9:28 ascot2e.c off by one bug Saso Slavicic
2016-05-28 10:11 ` Antti Palosaari
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).