[alsa-devel] [patch v3] ALSA: rawmidi: fix the get next midi device ioctl

Takashi Iwai tiwai at suse.de
Thu Sep 9 09:07:35 CEST 2010


At Thu, 9 Sep 2010 00:11:41 +0200,
Dan Carpenter wrote:
> 
> If we pass in a device which is higher than SNDRV_RAWMIDI_DEVICES then
> the "next device" should be -1.  This function just returns device + 1.
> 
> But the main thing is that "device + 1" can lead to a (harmless) integer
> overflow and that annoys static analysis tools.
> 
> Signed-off-by: Dan Carpenter <error27 at gmail.com>
> ---
> V2:  In the first version I made negative values return -EINVAL
> V3:  We shouldn't return -EINVAL for numbers which are too large but
>      just set the next device to -1.
> 
> diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
> index eb68326..df67605 100644
> --- a/sound/core/rawmidi.c
> +++ b/sound/core/rawmidi.c
> @@ -829,6 +829,8 @@ static int snd_rawmidi_control_ioctl(struct snd_card *card,
>  		
>  		if (get_user(device, (int __user *)argp))
>  			return -EFAULT;
> +		if (device > SNDRV_RAWMIDI_DEVICES) /* next device is -1 */
> +			device = SNDRV_RAWMIDI_DEVICES;
>  		mutex_lock(&register_mutex);
>  		device = device < 0 ? 0 : device + 1;
>  		while (device < SNDRV_RAWMIDI_DEVICES) {
> 

We still need to cover the case device == SNDRV_RAWMIDI_DEVICES.
Also, device is incremented, so it has to be SNDRV_RAWMIDI_DEVICE - 1.
i.e.

> +		if (device >= SNDRV_RAWMIDI_DEVICES) /* next device is -1 */
> +			device = SNDRV_RAWMIDI_DEVICES - 1;


I applied the fixed patch now.


thanks,

Takashi


More information about the Alsa-devel mailing list