Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0d02e129 authored by Eliot Blennerhassett's avatar Eliot Blennerhassett Committed by Takashi Iwai
Browse files

ALSA: asihpi: fix an information leak in asihpi_hpi_ioctl() 



Add missing limits to keep copied data within allocated buffer.

Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarEliot Blennerhassett <eliot@blennerhassett.gen.nz>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 240491e1

sound/pci/asihpi/hpi6000.c

+5 −2
Original line number Diff line number Diff line
@@ -47,7 +47,7 @@ 


/* operational/messaging errors */

#define HPI6000_ERROR_MSG_RESP_IDLE_TIMEOUT             901



#define HPI6000_ERROR_RESP_GET_LEN                      902

#define HPI6000_ERROR_MSG_RESP_GET_RESP_ACK             903

#define HPI6000_ERROR_MSG_GET_ADR                       904

#define HPI6000_ERROR_RESP_GET_ADR                      905
@@ -1365,7 +1365,10 @@ static short hpi6000_message_response_sequence(struct hpi_adapter_obj *pao, 
		length = hpi_read_word(pdo, HPI_HIF_ADDR(length));

	} while (hpi6000_check_PCI2040_error_flag(pao, H6READ) && --timeout);

	if (!timeout)

		length = sizeof(struct hpi_response);

		return HPI6000_ERROR_RESP_GET_LEN;



	if (length > phr->size)

		return HPI_ERROR_RESPONSE_BUFFER_TOO_SMALL;



	/* get the response */

	p_data = (u32 *)phr;

sound/pci/asihpi/hpioctl.c

+2 −0
Original line number Diff line number Diff line
@@ -153,6 +153,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) 
		goto out;

	}



	res_max_size = min_t(size_t, res_max_size, sizeof(*hr));



	switch (hm->h.function) {

	case HPI_SUBSYS_CREATE_ADAPTER:

	case HPI_ADAPTER_DELETE: