At Wed, 27 Jul 2011 15:02:26 +0300,
Dan Carpenter wrote:
>
> "adapter" is used as an array index in the adapters[] array so
> the off by one would make us read past the end.
>
> Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
Applied now. Thanks.
Takashi
> ---
> 1c073b67979 "ALSA: asihpi - Remove spurious adapter index check"
> reverted Dan Rosenburg's check that would have prevented the
> overflow here.
>
> Also it moved the initialization of "pa" down a couple lines so I'm
> concerned there may be a bogus derereference here when we check
> pa->type. I don't have the hardware, so I can't test this.
>
> diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
> index 65fcf47..7ba7073 100644
> --- a/sound/pci/asihpi/hpioctl.c
> +++ b/sound/pci/asihpi/hpioctl.c
> @@ -183,7 +183,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
> int wrflag = -1;
> u32 adapter = hm->h.adapter_index;
>
> - if ((adapter > HPI_MAX_ADAPTERS) || (!pa->type)) {
> + if ((adapter >= HPI_MAX_ADAPTERS) || (!pa->type)) {
> hpi_init_response(&hr->r0, HPI_OBJ_ADAPTER,
> HPI_ADAPTER_OPEN,
> HPI_ERROR_BAD_ADAPTER_NUMBER);
>
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
