If a line in the firmware file is larger than the given buffer size (and so the firmware file size), size is set to a value larger than the actual buffer size. This results in an overflow in the buffer passed.
Signed-off-by: Alexander Stein alexander.stein@systec-electronic.com --- Changes in v2: * Just remove the erroneous check
sound/pci/hda/hda_hwdep.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-)
diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c index 72e5885..7e7d078 100644 --- a/sound/pci/hda/hda_hwdep.c +++ b/sound/pci/hda/hda_hwdep.c @@ -756,8 +756,6 @@ static int get_line_from_fw(char *buf, int size, struct firmware *fw) } if (!fw->size) return 0; - if (size < fw->size) - size = fw->size;
for (len = 0; len < fw->size; len++) { if (!*p)