[PATCH] dvb-usb-v2/gl861: fix wrong memcpy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The memcpy in gl861_i2c_read_ex() in gl861.c swapped the src and dst arguments,
leaving the rbuf uninitialized.

This issue caused this syzbot error:

https://syzkaller.appspot.com/bug?extid=9e6bf7282557bd1fc80d

Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
Reported-and-tested-by: syzbot+9e6bf7282557bd1fc80d@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: commit b30cc07de8a9 ("media: dvb-usb/friio, dvb-usb-v2/gl861: decompose friio and merge with gl861")
---
Does anyone have this hardware? This device must have been dead for about
a year, ever since commit b30cc07de8a9 was merged.
---
diff --git a/drivers/media/usb/dvb-usb-v2/gl861.c b/drivers/media/usb/dvb-usb-v2/gl861.c
index b784d9da1a82..65d7c51ef56f 100644
--- a/drivers/media/usb/dvb-usb-v2/gl861.c
+++ b/drivers/media/usb/dvb-usb-v2/gl861.c
@@ -222,7 +222,7 @@ gl861_i2c_read_ex(struct dvb_usb_device *d, u8 addr, u8 *rbuf, u16 rlen)
 				 GL861_REQ_I2C_READ, GL861_READ,
 				 addr << (8 + 1), 0x0100, buf, rlen, 2000);
 	if (ret > 0 && rlen > 0)
-		memcpy(buf, rbuf, rlen);
+		memcpy(rbuf, buf, rlen);
 	kfree(buf);
 	return ret;
 }
[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]

  Powered by Linux