At Thu, 9 Sep 2010 00:11:41 +0200,
Dan Carpenter wrote:
>
> If we pass in a device which is higher than SNDRV_RAWMIDI_DEVICES then
> the "next device" should be -1. This function just returns device + 1.
>
> But the main thing is that "device + 1" can lead to a (harmless) integer
> overflow and that annoys static analysis tools.
>
> Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
> ---
> V2: In the first version I made negative values return -EINVAL
> V3: We shouldn't return -EINVAL for numbers which are too large but
> just set the next device to -1.
>
> diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
> index eb68326..df67605 100644
> --- a/sound/core/rawmidi.c
> +++ b/sound/core/rawmidi.c
> @@ -829,6 +829,8 @@ static int snd_rawmidi_control_ioctl(struct snd_card *card,
>
> if (get_user(device, (int __user *)argp))
> return -EFAULT;
> + if (device > SNDRV_RAWMIDI_DEVICES) /* next device is -1 */
> + device = SNDRV_RAWMIDI_DEVICES;
> mutex_lock(®ister_mutex);
> device = device < 0 ? 0 : device + 1;
> while (device < SNDRV_RAWMIDI_DEVICES) {
>
We still need to cover the case device == SNDRV_RAWMIDI_DEVICES.
Also, device is incremented, so it has to be SNDRV_RAWMIDI_DEVICE - 1.
i.e.
> + if (device >= SNDRV_RAWMIDI_DEVICES) /* next device is -1 */
> + device = SNDRV_RAWMIDI_DEVICES - 1;
I applied the fixed patch now.
thanks,
Takashi
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
