[alsa-devel] [patch v2] ALSA: asihpi: fix an information leak in asihpi_hpi_ioctl()
Takashi Iwai
tiwai at suse.de
Wed Dec 31 14:17:44 CET 2014
At Wed, 31 Dec 2014 23:48:32 +1300,
Eliot Blennerhassett wrote:
>
> Add missing limits to keep copied data within allocated buffer.
>
> Signed-off-by: Eliot Blennerhassett <eliot at blennerhassett.gen.nz>
> ---
> Regenerated, this should apply cleanly to for-next
OK, applied now. Thanks.
Takashi
>
> sound/pci/asihpi/hpi6000.c | 7 +++++--
> sound/pci/asihpi/hpioctl.c | 2 ++
> 2 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/sound/pci/asihpi/hpi6000.c b/sound/pci/asihpi/hpi6000.c
> index 2414d7a..2d63648 100644
> --- a/sound/pci/asihpi/hpi6000.c
> +++ b/sound/pci/asihpi/hpi6000.c
> @@ -47,7 +47,7 @@
>
> /* operational/messaging errors */
> #define HPI6000_ERROR_MSG_RESP_IDLE_TIMEOUT 901
> -
> +#define HPI6000_ERROR_RESP_GET_LEN 902
> #define HPI6000_ERROR_MSG_RESP_GET_RESP_ACK 903
> #define HPI6000_ERROR_MSG_GET_ADR 904
> #define HPI6000_ERROR_RESP_GET_ADR 905
> @@ -1365,7 +1365,10 @@ static short hpi6000_message_response_sequence(struct hpi_adapter_obj *pao,
> length = hpi_read_word(pdo, HPI_HIF_ADDR(length));
> } while (hpi6000_check_PCI2040_error_flag(pao, H6READ) && --timeout);
> if (!timeout)
> - length = sizeof(struct hpi_response);
> + return HPI6000_ERROR_RESP_GET_LEN;
> +
> + if (length > phr->size)
> + return HPI_ERROR_RESPONSE_BUFFER_TOO_SMALL;
>
> /* get the response */
> p_data = (u32 *)phr;
> diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
> index 6aa677e..72af66b 100644
> --- a/sound/pci/asihpi/hpioctl.c
> +++ b/sound/pci/asihpi/hpioctl.c
> @@ -153,6 +153,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
> goto out;
> }
>
> + res_max_size = min_t(size_t, res_max_size, sizeof(*hr));
> +
> switch (hm->h.function) {
> case HPI_SUBSYS_CREATE_ADAPTER:
> case HPI_ADAPTER_DELETE:
> --
> 1.9.1
>
>
More information about the Alsa-devel
mailing list