[alsa-devel] [patch] ALSA: dice: fix array limits in dice_proc_read()

Clemens Ladisch clemens at ladisch.de
Fri Nov 29 10:11:32 CET 2013


Dan Carpenter wrote:
> The array limits are supposed to be in units of u32 instead of in bytes.
> The current code has a potential array overflow.
>
> Fixes: c614475b0ea9 ('ALSA: dice: add a proc file to show device information')
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>

Acked-by: Clemens Ladisch <clemens at ladisch.de>

> diff --git a/sound/firewire/dice.c b/sound/firewire/dice.c
> index 57bcd31fcc12..c0aa64941cee 100644
> --- a/sound/firewire/dice.c
> +++ b/sound/firewire/dice.c
> @@ -1019,7 +1019,7 @@ static void dice_proc_read(struct snd_info_entry *entry,
>
>  	if (dice_proc_read_mem(dice, &tx_rx_header, sections[2], 2) < 0)
>  		return;
> -	quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.tx));
> +	quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.tx) / 4);
>  	for (stream = 0; stream < tx_rx_header.number; ++stream) {
>  		if (dice_proc_read_mem(dice, &buf.tx, sections[2] + 2 +
>  				       stream * tx_rx_header.size,
> @@ -1045,7 +1045,7 @@ static void dice_proc_read(struct snd_info_entry *entry,
>
>  	if (dice_proc_read_mem(dice, &tx_rx_header, sections[4], 2) < 0)
>  		return;
> -	quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.rx));
> +	quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.rx) / 4);
>  	for (stream = 0; stream < tx_rx_header.number; ++stream) {
>  		if (dice_proc_read_mem(dice, &buf.rx, sections[4] + 2 +
>  				       stream * tx_rx_header.size,


More information about the Alsa-devel mailing list