On Thu, 9 Sep 2010, Takashi Iwai wrote:
At Thu, 9 Sep 2010 00:11:41 +0200,
Dan Carpenter wrote:
If we pass in a device which is higher than SNDRV_RAWMIDI_DEVICES then
the "next device" should be -1. This function just returns device + 1.
But the main thing is that "device + 1" can lead to a (harmless) integer
overflow and that annoys static analysis tools.
Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
---
V2: In the first version I made negative values return -EINVAL
V3: We shouldn't return -EINVAL for numbers which are too large but
just set the next device to -1.
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index eb68326..df67605 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -829,6 +829,8 @@ static int snd_rawmidi_control_ioctl(struct snd_card *card,
if (get_user(device, (int __user *)argp))
return -EFAULT;
+ if (device > SNDRV_RAWMIDI_DEVICES) /* next device is -1 */
+ device = SNDRV_RAWMIDI_DEVICES;
mutex_lock(®ister_mutex);
device = device < 0 ? 0 : device + 1;
while (device < SNDRV_RAWMIDI_DEVICES) {
We still need to cover the case device == SNDRV_RAWMIDI_DEVICES.
Also, device is incremented, so it has to be SNDRV_RAWMIDI_DEVICE - 1.
i.e.
+ if (device >= SNDRV_RAWMIDI_DEVICES) /* next device is -1 */
+ device = SNDRV_RAWMIDI_DEVICES - 1;
I applied the fixed patch now.
Maybe a goto to 'device = -1' line from the condition above might be more
light (resulted instruction code size) and understandable for this case.
Jaroslav
-----
Jaroslav Kysela <perex@xxxxxxxx>
Linux Kernel Sound Maintainer
ALSA Project, Red Hat, Inc.
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
