Re: [PATCH] hda_hwdep: Fix possible buffer overflow

From: Takashi Iwai
Date: Wed Oct 26 2011 - 08:58:46 EST


At Wed, 26 Oct 2011 09:48:12 +0200,
Alexander Stein wrote:
>
> If a line in the firmware file is larger than the given buffer size (and
> so the firmware file size), size is set to a value larger than the actual
> buffer size. This results in an overflow in the buffer passed.
> Fix this by copying only up to 127 chars per line.

Actually this check should have been

if (size > fw->size)
size = fw->size;

Otherwise it doesn't make sense.
If the change is OK, could you resend the patch with it?


thanks,

Takashi

> Signed-off-by: Alexander Stein <alexander.stein@xxxxxxxxxxxxxxxxxxxxx>
> ---
> sound/pci/hda/hda_hwdep.c | 6 +++---
> 1 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c
> index bf3ced5..61da08d 100644
> --- a/sound/pci/hda/hda_hwdep.c
> +++ b/sound/pci/hda/hda_hwdep.c
> @@ -745,6 +745,7 @@ static int parse_line_mode(char *buf, struct hda_bus *bus)
> * if successfully copied a line
> *
> * the spaces at the beginning and the end of the line are stripped
> + * lines read are clamped to 127 chars
> */
> static int get_line_from_fw(char *buf, int size, struct firmware *fw)
> {
> @@ -756,8 +757,6 @@ static int get_line_from_fw(char *buf, int size, struct firmware *fw)
> }
> if (!fw->size)
> return 0;
> - if (size < fw->size)
> - size = fw->size;
>
> for (len = 0; len < fw->size; len++) {
> if (!*p)
> @@ -768,7 +767,8 @@ static int get_line_from_fw(char *buf, int size, struct firmware *fw)
> break;
> }
> if (len < size)
> - *buf++ = *p++;
> + *buf++ = *p;
> + p++;
> }
> *buf = 0;
> fw->size -= len;
> --
> 1.7.3.4
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/