All ioctl to the sounddriver that is marked for doing both read and write,
( IOC_INOUT in linux/soundcard.h )
never verify the 'arg' parameter with a call to verify_area.
This results in a Kernel Oops, when doing a illegal ioctl, when it should
return -1.
Example:
int dsp = open("/dev/dsp", O_WRONLY);
int speed = 8000;
int ret = ioctl(dsp, SNDCTL_DSP_SPEED, speed); /* Should be &speed */
This results in a kernel Oops.
The error is in sound_ioctl in soundcard.c, and this patch corrects it.
( I don't know if it is the correct way to correct it,
but anything similar should do.)
Thanks,
/ Henrik Wallin, henrik@triton.campus.luth.se
--- soundcard.c.orig Sat Apr 13 20:13:06 1996
+++ soundcard.c Sat Apr 13 20:09:24 1996
@@ -170,13 +170,13 @@
len = _IOC_SIZE (cmd);
- if (_IOC_DIR (cmd) == _IOC_WRITE)
+ if ( (_IOC_DIR (cmd) | _IOC_WRITE) != 0)
{
if ((err = verify_area (VERIFY_READ, (void *) arg, len)) < 0)
return err;
}
- if (_IOC_DIR (cmd) == _IOC_READ)
+ if ( (_IOC_DIR (cmd) | _IOC_READ) != 0)
{
if ((err = verify_area (VERIFY_WRITE, (void *) arg, len)) < 0)
return err;