[alsa-devel] [patch] ALSA: compress: info leak in snd_compr_get_caps()
walter harms
wharms at bfs.de
Sun Apr 21 13:40:25 CEST 2013
Am 21.04.2013 13:07, schrieb Dan Carpenter:
> If the ->get_caps() function doesn't clear the buffer then there would
> stack information leaked to userspace. For example,
> soc_compr_get_caps() can return success without clearing the buffer.
>
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> ---
> Perhaps the soc_compr_get_caps() function should return an error code
> if the platform->driver->compr_ops is NULL. I'm not sure about that,
> and it's a separate issue anyway.
>
> diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
> index c84abc8..8d3190a 100644
> --- a/sound/core/compress_offload.c
> +++ b/sound/core/compress_offload.c
> @@ -375,6 +375,7 @@ snd_compr_get_caps(struct snd_compr_stream *stream, unsigned long arg)
> if (!stream->ops->get_caps)
> return -ENXIO;
>
> + memset(&caps, 0, sizeof(caps));
> retval = stream->ops->get_caps(stream, &caps);
> if (retval)
> goto out;
> --
IMHO this should be done in get_caps() as it will manipulate the entries.
or is there a special reason to have it here ?
re,
wh
More information about the Alsa-devel
mailing list