At Wed, 31 Dec 2014 23:48:32 +1300, Eliot Blennerhassett wrote:

Add missing limits to keep copied data within allocated buffer.

Signed-off-by: Eliot Blennerhassett eliot@blennerhassett.gen.nz

Regenerated, this should apply cleanly to for-next

OK, applied now. Thanks.

Takashi

sound/pci/asihpi/hpi6000.c | 7 +++++-- sound/pci/asihpi/hpioctl.c | 2 ++ 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/sound/pci/asihpi/hpi6000.c b/sound/pci/asihpi/hpi6000.c index 2414d7a..2d63648 100644 --- a/sound/pci/asihpi/hpi6000.c +++ b/sound/pci/asihpi/hpi6000.c @@ -47,7 +47,7 @@

/* operational/messaging errors */ #define HPI6000_ERROR_MSG_RESP_IDLE_TIMEOUT 901

+#define HPI6000_ERROR_RESP_GET_LEN 902 #define HPI6000_ERROR_MSG_RESP_GET_RESP_ACK 903 #define HPI6000_ERROR_MSG_GET_ADR 904 #define HPI6000_ERROR_RESP_GET_ADR 905 @@ -1365,7 +1365,10 @@ static short hpi6000_message_response_sequence(struct hpi_adapter_obj *pao, length = hpi_read_word(pdo, HPI_HIF_ADDR(length)); } while (hpi6000_check_PCI2040_error_flag(pao, H6READ) && --timeout); if (!timeout)

• length = sizeof(struct hpi_response);
  

• return HPI6000_ERROR_RESP_GET_LEN;
  

• if (length > phr->size)

• return HPI_ERROR_RESPONSE_BUFFER_TOO_SMALL;
  
  

  /* get the response */ p_data = (u32 *)phr;

diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c index 6aa677e..72af66b 100644 --- a/sound/pci/asihpi/hpioctl.c +++ b/sound/pci/asihpi/hpioctl.c @@ -153,6 +153,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) goto out; }

• res_max_size = min_t(size_t, res_max_size, sizeof(*hr));
• switch (hm->h.function) { case HPI_SUBSYS_CREATE_ADAPTER: case HPI_ADAPTER_DELETE:

-- 1.9.1