New subject: [alsa-devel] [patch] ALSA: asihpi - off by one in asihpi_hpi_ioctl()

27 Jul 2011

"adapter" is used as an array index in the adapters[] array so
the off by one would make us read past the end.
Signed-off-by: Dan Carpenter error27@gmail.com
---
1c073b67979 "ALSA: asihpi - Remove spurious adapter index check"
reverted Dan Rosenburg's check that would have prevented the
overflow here.
Also it moved the initialization of "pa" down a couple lines so I'm
concerned there may be a bogus derereference here when we check
pa->type.  I don't have the hardware, so I can't test this.

diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 65fcf47..7ba7073 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -183,7 +183,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
    	int wrflag = -1;
    	u32 adapter = hm->h.adapter_index;
-		if ((adapter > HPI_MAX_ADAPTERS) || (!pa->type)) {
+		if ((adapter >= HPI_MAX_ADAPTERS) || (!pa->type)) {
    		hpi_init_response(&hr->r0, HPI_OBJ_ADAPTER,
    			HPI_ADAPTER_OPEN,
    			HPI_ERROR_BAD_ADAPTER_NUMBER);

    

[alsa-devel] [patch] ALSA: asihpi - off by one in asihpi_hpi_ioctl()

Dan Carpenter

Takashi Iwai

tags (0)

participants (2)