[patch] ALSA: dice: fix array limits in dice_proc_read()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The array limits are supposed to be in units of u32 instead of in bytes.
The current code has a potential array overflow.

Fixes: c614475b0ea9 ('ALSA: dice: add a proc file to show device information')
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

diff --git a/sound/firewire/dice.c b/sound/firewire/dice.c
index 57bcd31fcc12..c0aa64941cee 100644
--- a/sound/firewire/dice.c
+++ b/sound/firewire/dice.c
@@ -1019,7 +1019,7 @@ static void dice_proc_read(struct snd_info_entry *entry,
 
 	if (dice_proc_read_mem(dice, &tx_rx_header, sections[2], 2) < 0)
 		return;
-	quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.tx));
+	quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.tx) / 4);
 	for (stream = 0; stream < tx_rx_header.number; ++stream) {
 		if (dice_proc_read_mem(dice, &buf.tx, sections[2] + 2 +
 				       stream * tx_rx_header.size,
@@ -1045,7 +1045,7 @@ static void dice_proc_read(struct snd_info_entry *entry,
 
 	if (dice_proc_read_mem(dice, &tx_rx_header, sections[4], 2) < 0)
 		return;
-	quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.rx));
+	quadlets = min_t(u32, tx_rx_header.size, sizeof(buf.rx) / 4);
 	for (stream = 0; stream < tx_rx_header.number; ++stream) {
 		if (dice_proc_read_mem(dice, &buf.rx, sections[4] + 2 +
 				       stream * tx_rx_header.size,
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux