[alsa-devel] hdsp: potential oops in snd_hdsp_info_pref_sync_ref()
My static check complains that there is a potential oops here but I'm not sure what the correct fix is.
sound/pci/rme9652/hdsp.c 2631 switch (hdsp->io_type) { 2632 case Digiface: 2633 case H9652: 2634 uinfo->value.enumerated.items = 6; 2635 break; 2636 case Multiface: 2637 uinfo->value.enumerated.items = 4; 2638 break; 2639 case H9632: 2640 uinfo->value.enumerated.items = 3; 2641 break; 2642 default: 2643 uinfo->value.enumerated.items = 0; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ We set this to zero here.
2644 break; 2645 } 2646 2647 if (uinfo->value.enumerated.item >= uinfo->value.enumerated.items) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ enumerated.item is unsigned int so it's always greater or equal to zero.
2648 uinfo->value.enumerated.item = uinfo->value.enumerated.items - 1;
We set it to UINT_MAX here.
2649 strcpy(uinfo->value.enumerated.name, texts[uinfo->value.enumerated.item]); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Reading UINT_MAX beyond the end of the array here will probably oops.
2650 return 0;
There is a similar issue in snd_asihpi_cmode_info().
regards, dan carpenter
At Fri, 6 Jan 2012 16:59:57 +0300, Dan Carpenter wrote:
My static check complains that there is a potential oops here but I'm not sure what the correct fix is.
sound/pci/rme9652/hdsp.c 2631 switch (hdsp->io_type) { 2632 case Digiface: 2633 case H9652: 2634 uinfo->value.enumerated.items = 6; 2635 break; 2636 case Multiface: 2637 uinfo->value.enumerated.items = 4; 2638 break; 2639 case H9632: 2640 uinfo->value.enumerated.items = 3; 2641 break; 2642 default: 2643 uinfo->value.enumerated.items = 0; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ We set this to zero here.
2644 break; 2645 } 2646 2647 if (uinfo->value.enumerated.item >= uinfo->value.enumerated.items) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ enumerated.item is unsigned int so it's always greater or equal to zero.
2648 uinfo->value.enumerated.item = uinfo->value.enumerated.items - 1;
We set it to UINT_MAX here.
2649 strcpy(uinfo->value.enumerated.name, texts[uinfo->value.enumerated.item]); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Reading UINT_MAX beyond the end of the array here will probably oops.
2650 return 0;
There is a similar issue in snd_asihpi_cmode_info().
Right, this is an obvious bug. The driver should return an error immediately there.
I fixed them in the sound git tree now.
Thanks!
Takashi
participants (2)
-
Dan Carpenter -
Takashi Iwai