[media] dvb-frontends: Don't use dynamic static allocation

+14 -1

drivers/media/dvb-frontends/bcm3510.c

··· 44 44 #include "bcm3510.h" 45 45 #include "bcm3510_priv.h" 46 46 47 + /* Max transfer size done by bcm3510_do_hab_cmd() function */ 48 + #define MAX_XFER_SIZE 128 49 + 47 50 struct bcm3510_state { 48 51 49 52 struct i2c_adapter* i2c; ··· 204 201 205 202 static int bcm3510_do_hab_cmd(struct bcm3510_state *st, u8 cmd, u8 msgid, u8 *obuf, u8 olen, u8 *ibuf, u8 ilen) 206 203 { 207 - u8 ob[olen+2],ib[ilen+2]; 204 + u8 ob[MAX_XFER_SIZE], ib[MAX_XFER_SIZE]; 208 205 int ret = 0; 206 + 207 + if (ilen + 2 > sizeof(ib)) { 208 + deb_hab("do_hab_cmd: ilen=%d is too big!\n", ilen); 209 + return -EINVAL; 210 + } 211 + 212 + if (olen + 2 > sizeof(ob)) { 213 + deb_hab("do_hab_cmd: olen=%d is too big!\n", olen); 214 + return -EINVAL; 215 + } 209 216 210 217 ob[0] = cmd; 211 218 ob[1] = msgid;

+12 -1

drivers/media/dvb-frontends/itd1000.c

··· 31 31 #include "itd1000.h" 32 32 #include "itd1000_priv.h" 33 33 34 + /* Max transfer size done by I2C transfer functions */ 35 + #define MAX_XFER_SIZE 64 36 + 34 37 static int debug; 35 38 module_param(debug, int, 0644); 36 39 MODULE_PARM_DESC(debug, "Turn on/off debugging (default:off)."); ··· 55 52 /* don't write more than one byte with flexcop behind */ 56 53 static int itd1000_write_regs(struct itd1000_state *state, u8 reg, u8 v[], u8 len) 57 54 { 58 - u8 buf[1+len]; 55 + u8 buf[MAX_XFER_SIZE]; 59 56 struct i2c_msg msg = { 60 57 .addr = state->cfg->i2c_address, .flags = 0, .buf = buf, .len = len+1 61 58 }; 59 + 60 + if (1 + len > sizeof(buf)) { 61 + printk(KERN_WARNING 62 + "itd1000: i2c wr reg=%04x: len=%d is too big!\n", 63 + reg, len); 64 + return -EINVAL; 65 + } 66 + 62 67 buf[0] = reg; 63 68 memcpy(&buf[1], v, len); 64 69

+9 -1

drivers/media/dvb-frontends/mt312.c

··· 36 36 #include "mt312_priv.h" 37 37 #include "mt312.h" 38 38 39 + /* Max transfer size done by I2C transfer functions */ 40 + #define MAX_XFER_SIZE 64 39 41 40 42 struct mt312_state { 41 43 struct i2c_adapter *i2c; ··· 98 96 const u8 *src, const size_t count) 99 97 { 100 98 int ret; 101 - u8 buf[count + 1]; 99 + u8 buf[MAX_XFER_SIZE]; 102 100 struct i2c_msg msg; 101 + 102 + if (1 + count > sizeof(buf)) { 103 + printk(KERN_WARNING 104 + "mt312: write: len=%zd is too big!\n", count); 105 + return -EINVAL; 106 + } 103 107 104 108 if (debug) { 105 109 int i;

+10 -1

drivers/media/dvb-frontends/nxt200x.c

··· 39 39 */ 40 40 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 41 41 42 + /* Max transfer size done by I2C transfer functions */ 43 + #define MAX_XFER_SIZE 64 44 + 42 45 #define NXT2002_DEFAULT_FIRMWARE "dvb-fe-nxt2002.fw" 43 46 #define NXT2004_DEFAULT_FIRMWARE "dvb-fe-nxt2004.fw" 44 47 #define CRC_CCIT_MASK 0x1021 ··· 98 95 static int nxt200x_writebytes (struct nxt200x_state* state, u8 reg, 99 96 const u8 *buf, u8 len) 100 97 { 101 - u8 buf2 [len+1]; 98 + u8 buf2[MAX_XFER_SIZE]; 102 99 int err; 103 100 struct i2c_msg msg = { .addr = state->config->demod_address, .flags = 0, .buf = buf2, .len = len + 1 }; 101 + 102 + if (1 + len > sizeof(buf2)) { 103 + pr_warn("%s: i2c wr reg=%04x: len=%d is too big!\n", 104 + __func__, reg, len); 105 + return -EINVAL; 106 + } 104 107 105 108 buf2[0] = reg; 106 109 memcpy(&buf2[1], buf, len);

+10 -1

drivers/media/dvb-frontends/stb6100.c

··· 31 31 static unsigned int verbose; 32 32 module_param(verbose, int, 0644); 33 33 34 + /* Max transfer size done by I2C transfer functions */ 35 + #define MAX_XFER_SIZE 64 34 36 35 37 #define FE_ERROR 0 36 38 #define FE_NOTICE 1 ··· 185 183 static int stb6100_write_reg_range(struct stb6100_state *state, u8 buf[], int start, int len) 186 184 { 187 185 int rc; 188 - u8 cmdbuf[len + 1]; 186 + u8 cmdbuf[MAX_XFER_SIZE]; 189 187 struct i2c_msg msg = { 190 188 .addr = state->config->tuner_address, 191 189 .flags = 0, 192 190 .buf = cmdbuf, 193 191 .len = len + 1 194 192 }; 193 + 194 + if (1 + len > sizeof(buf)) { 195 + printk(KERN_WARNING 196 + "%s: i2c wr: len=%d is too big!\n", 197 + KBUILD_MODNAME, len); 198 + return -EINVAL; 199 + } 195 200 196 201 if (unlikely(start < 1 || start + len > STB6100_NUMREGS)) { 197 202 dprintk(verbose, FE_ERROR, 1, "Invalid register range %d:%d",

+11 -1

drivers/media/dvb-frontends/stv6110.c

··· 30 30 31 31 #include "stv6110.h" 32 32 33 + /* Max transfer size done by I2C transfer functions */ 34 + #define MAX_XFER_SIZE 64 35 + 33 36 static int debug; 34 37 35 38 struct stv6110_priv { ··· 71 68 { 72 69 struct stv6110_priv *priv = fe->tuner_priv; 73 70 int rc; 74 - u8 cmdbuf[len + 1]; 71 + u8 cmdbuf[MAX_XFER_SIZE]; 75 72 struct i2c_msg msg = { 76 73 .addr = priv->i2c_address, 77 74 .flags = 0, ··· 80 77 }; 81 78 82 79 dprintk("%s\n", __func__); 80 + 81 + if (1 + len > sizeof(cmdbuf)) { 82 + printk(KERN_WARNING 83 + "%s: i2c wr: len=%d is too big!\n", 84 + KBUILD_MODNAME, len); 85 + return -EINVAL; 86 + } 83 87 84 88 if (start + len > 8) 85 89 return -EINVAL;

+12 -1

drivers/media/dvb-frontends/stv6110x.c

··· 32 32 #include "stv6110x.h" 33 33 #include "stv6110x_priv.h" 34 34 35 + /* Max transfer size done by I2C transfer functions */ 36 + #define MAX_XFER_SIZE 64 37 + 35 38 static unsigned int verbose; 36 39 module_param(verbose, int, 0644); 37 40 MODULE_PARM_DESC(verbose, "Set Verbosity level"); ··· 64 61 { 65 62 int ret; 66 63 const struct stv6110x_config *config = stv6110x->config; 67 - u8 buf[len + 1]; 64 + u8 buf[MAX_XFER_SIZE]; 65 + 68 66 struct i2c_msg msg = { 69 67 .addr = config->addr, 70 68 .flags = 0, 71 69 .buf = buf, 72 70 .len = len + 1 73 71 }; 72 + 73 + if (1 + len > sizeof(buf)) { 74 + printk(KERN_WARNING 75 + "%s: i2c wr: len=%d is too big!\n", 76 + KBUILD_MODNAME, len); 77 + return -EINVAL; 78 + } 74 79 75 80 if (start + len > 8) 76 81 return -EINVAL;

+12 -2

drivers/media/dvb-frontends/tda18271c2dd.c

··· 34 34 #include "dvb_frontend.h" 35 35 #include "tda18271c2dd.h" 36 36 37 + /* Max transfer size done by I2C transfer functions */ 38 + #define MAX_XFER_SIZE 64 39 + 37 40 struct SStandardParam { 38 41 s32 m_IFFrequency; 39 42 u32 m_BandWidth; ··· 142 139 static int WriteRegs(struct tda_state *state, 143 140 u8 SubAddr, u8 *Regs, u16 nRegs) 144 141 { 145 - u8 data[nRegs+1]; 142 + u8 data[MAX_XFER_SIZE]; 143 + 144 + if (1 + nRegs > sizeof(data)) { 145 + printk(KERN_WARNING 146 + "%s: i2c wr: len=%d is too big!\n", 147 + KBUILD_MODNAME, nRegs); 148 + return -EINVAL; 149 + } 146 150 147 151 data[0] = SubAddr; 148 152 memcpy(data + 1, Regs, nRegs); 149 - return i2c_write(state->i2c, state->adr, data, nRegs+1); 153 + return i2c_write(state->i2c, state->adr, data, nRegs + 1); 150 154 } 151 155 152 156 static int WriteReg(struct tda_state *state, u8 SubAddr, u8 Reg)

+11 -1

drivers/media/dvb-frontends/zl10039.c

··· 30 30 31 31 static int debug; 32 32 33 + /* Max transfer size done by I2C transfer functions */ 34 + #define MAX_XFER_SIZE 64 35 + 33 36 #define dprintk(args...) \ 34 37 do { \ 35 38 if (debug) \ ··· 101 98 const enum zl10039_reg_addr reg, const u8 *src, 102 99 const size_t count) 103 100 { 104 - u8 buf[count + 1]; 101 + u8 buf[MAX_XFER_SIZE]; 105 102 struct i2c_msg msg = { 106 103 .addr = state->i2c_addr, 107 104 .flags = 0, 108 105 .buf = buf, 109 106 .len = count + 1, 110 107 }; 108 + 109 + if (1 + count > sizeof(buf)) { 110 + printk(KERN_WARNING 111 + "%s: i2c wr reg=%04x: len=%zd is too big!\n", 112 + KBUILD_MODNAME, reg, count); 113 + return -EINVAL; 114 + } 111 115 112 116 dprintk("%s\n", __func__); 113 117 /* Write register address and data in one go */