At Wed, 26 Oct 2011 09:48:12 +0200, Alexander Stein wrote:

If a line in the firmware file is larger than the given buffer size (and so the firmware file size), size is set to a value larger than the actual buffer size. This results in an overflow in the buffer passed. Fix this by copying only up to 127 chars per line.

Actually this check should have been

if (size > fw->size) size = fw->size;

Otherwise it doesn't make sense. If the change is OK, could you resend the patch with it?

thanks,

Takashi

Signed-off-by: Alexander Stein alexander.stein@systec-electronic.com

sound/pci/hda/hda_hwdep.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c index bf3ced5..61da08d 100644 --- a/sound/pci/hda/hda_hwdep.c +++ b/sound/pci/hda/hda_hwdep.c @@ -745,6 +745,7 @@ static int parse_line_mode(char *buf, struct hda_bus *bus)

• if successfully copied a line
• the spaces at the beginning and the end of the line are stripped

• • lines read are clamped to 127 chars
  */

static int get_line_from_fw(char *buf, int size, struct firmware *fw) { @@ -756,8 +757,6 @@ static int get_line_from_fw(char *buf, int size, struct firmware *fw) } if (!fw->size) return 0;

• if (size < fw->size)

• size = fw->size;
  
  

  for (len = 0; len < fw->size; len++) { if (!*p)

@@ -768,7 +767,8 @@ static int get_line_from_fw(char *buf, int size, struct firmware *fw) break; } if (len < size)

• 	*buf++ = *p++;
  

• 	*buf++ = *p;
  

• p++;
  

  } *buf = 0; fw->size -= len;

-- 1.7.3.4