Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[PATCH] hda_hwdep: Fix possible buffer overflow
2 views
Skip to first unread message
Alexander Stein
Oct 26, 2011, 3:50:02 AM10/26/11
to
If a line in the firmware file is larger than the given buffer size (and
so the firmware file size), size is set to a value larger than the actual
buffer size. This results in an overflow in the buffer passed.
Fix this by copying only up to 127 chars per line.
Signed-off-by: Alexander Stein <alexand...@systec-electronic.com>
---
sound/pci/hda/hda_hwdep.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c
index bf3ced5..61da08d 100644
--- a/sound/pci/hda/hda_hwdep.c
+++ b/sound/pci/hda/hda_hwdep.c
@@ -745,6 +745,7 @@ static int parse_line_mode(char *buf, struct hda_bus *bus)
* if successfully copied a line
*
* the spaces at the beginning and the end of the line are stripped
+ * lines read are clamped to 127 chars
*/
static int get_line_from_fw(char *buf, int size, struct firmware *fw)
{
@@ -756,8 +757,6 @@ static int get_line_from_fw(char *buf, int size, struct firmware *fw)
}
if (!fw->size)
return 0;
- if (size < fw->size)
- size = fw->size;
for (len = 0; len < fw->size; len++) {
if (!*p)
@@ -768,7 +767,8 @@ static int get_line_from_fw(char *buf, int size, struct firmware *fw)
break;
}
if (len < size)
- *buf++ = *p++;
+ *buf++ = *p;
+ p++;
}
*buf = 0;
fw->size -= len;
--
1.7.3.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
so the firmware file size), size is set to a value larger than the actual
buffer size. This results in an overflow in the buffer passed.
Fix this by copying only up to 127 chars per line.
Signed-off-by: Alexander Stein <alexand...@systec-electronic.com>
---
sound/pci/hda/hda_hwdep.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c
index bf3ced5..61da08d 100644
--- a/sound/pci/hda/hda_hwdep.c
+++ b/sound/pci/hda/hda_hwdep.c
@@ -745,6 +745,7 @@ static int parse_line_mode(char *buf, struct hda_bus *bus)
* if successfully copied a line
*
* the spaces at the beginning and the end of the line are stripped
+ * lines read are clamped to 127 chars
*/
static int get_line_from_fw(char *buf, int size, struct firmware *fw)
{
@@ -756,8 +757,6 @@ static int get_line_from_fw(char *buf, int size, struct firmware *fw)
}
if (!fw->size)
return 0;
- if (size < fw->size)
- size = fw->size;
for (len = 0; len < fw->size; len++) {
if (!*p)
@@ -768,7 +767,8 @@ static int get_line_from_fw(char *buf, int size, struct firmware *fw)
break;
}
if (len < size)
- *buf++ = *p++;
+ *buf++ = *p;
+ p++;
}
*buf = 0;
fw->size -= len;
--
1.7.3.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Takashi Iwai
Oct 26, 2011, 9:00:02 AM10/26/11
to
At Wed, 26 Oct 2011 09:48:12 +0200,
if (size > fw->size)
size = fw->size;
Otherwise it doesn't make sense.
If the change is OK, could you resend the patch with it?
thanks,
Takashi
Alexander Stein wrote:
>
> If a line in the firmware file is larger than the given buffer size (and
> so the firmware file size), size is set to a value larger than the actual
> buffer size. This results in an overflow in the buffer passed.
> Fix this by copying only up to 127 chars per line.
Actually this check should have been
>
> If a line in the firmware file is larger than the given buffer size (and
> so the firmware file size), size is set to a value larger than the actual
> buffer size. This results in an overflow in the buffer passed.
> Fix this by copying only up to 127 chars per line.
if (size > fw->size)
size = fw->size;
Otherwise it doesn't make sense.
If the change is OK, could you resend the patch with it?
thanks,
Takashi
Alexander Stein
Oct 26, 2011, 9:20:01 AM10/26/11
to
Hello,
On Wednesday 26 October 2011 14:58:43 Takashi Iwai wrote:
> At Wed, 26 Oct 2011 09:48:12 +0200,
>
> Alexander Stein wrote:
> > If a line in the firmware file is larger than the given buffer size (and
> > so the firmware file size), size is set to a value larger than the actual
> > buffer size. This results in an overflow in the buffer passed.
> > Fix this by copying only up to 127 chars per line.
>
> Actually this check should have been
>
> if (size > fw->size)
> size = fw->size;
>
> Otherwise it doesn't make sense.
> If the change is OK, could you resend the patch with it?
IMO this check isn't even needed. This case should be catched by this check
for (len = 0; len < fw->size; len++) {
already.
Opinions?
Alexader
On Wednesday 26 October 2011 14:58:43 Takashi Iwai wrote:
> At Wed, 26 Oct 2011 09:48:12 +0200,
>
> Alexander Stein wrote:
> > If a line in the firmware file is larger than the given buffer size (and
> > so the firmware file size), size is set to a value larger than the actual
> > buffer size. This results in an overflow in the buffer passed.
> > Fix this by copying only up to 127 chars per line.
>
> Actually this check should have been
>
> if (size > fw->size)
> size = fw->size;
>
> Otherwise it doesn't make sense.
> If the change is OK, could you resend the patch with it?
for (len = 0; len < fw->size; len++) {
Opinions?
Alexader
Takashi Iwai
Oct 26, 2011, 9:30:02 AM10/26/11
to
At Wed, 26 Oct 2011 15:15:24 +0200,
Takashi
Alexander Stein wrote:
>
> Hello,
>
> On Wednesday 26 October 2011 14:58:43 Takashi Iwai wrote:
> > At Wed, 26 Oct 2011 09:48:12 +0200,
> >
> > Alexander Stein wrote:
> > > If a line in the firmware file is larger than the given buffer size (and
> > > so the firmware file size), size is set to a value larger than the actual
> > > buffer size. This results in an overflow in the buffer passed.
> > > Fix this by copying only up to 127 chars per line.
> >
> > Actually this check should have been
> >
> > if (size > fw->size)
> > size = fw->size;
> >
> > Otherwise it doesn't make sense.
> > If the change is OK, could you resend the patch with it?
>
> IMO this check isn't even needed. This case should be catched by this check
>
> for (len = 0; len < fw->size; len++) {
>
> already.
> Opinions?
Right, it's superfluous. Let's get rid of it.
>
> Hello,
>
> On Wednesday 26 October 2011 14:58:43 Takashi Iwai wrote:
> > At Wed, 26 Oct 2011 09:48:12 +0200,
> >
> > Alexander Stein wrote:
> > > If a line in the firmware file is larger than the given buffer size (and
> > > so the firmware file size), size is set to a value larger than the actual
> > > buffer size. This results in an overflow in the buffer passed.
> > > Fix this by copying only up to 127 chars per line.
> >
> > Actually this check should have been
> >
> > if (size > fw->size)
> > size = fw->size;
> >
> > Otherwise it doesn't make sense.
> > If the change is OK, could you resend the patch with it?
>
> IMO this check isn't even needed. This case should be catched by this check
>
> for (len = 0; len < fw->size; len++) {
>
> already.
> Opinions?
Takashi
Alexander Stein
Nov 1, 2011, 4:50:01 AM11/1/11
to
If a line in the firmware file is larger than the given buffer size (and
so the firmware file size), size is set to a value larger than the actual
buffer size. This results in an overflow in the buffer passed.
Changes in v2:
so the firmware file size), size is set to a value larger than the actual
buffer size. This results in an overflow in the buffer passed.
* Just remove the erroneous check
sound/pci/hda/hda_hwdep.c | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)
diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c
index 72e5885..7e7d078 100644
--- a/sound/pci/hda/hda_hwdep.c
+++ b/sound/pci/hda/hda_hwdep.c
@@ -756,8 +756,6 @@ static int get_line_from_fw(char *buf, int size, struct firmware *fw)
}
if (!fw->size)
return 0;
- if (size < fw->size)
- size = fw->size;
if (!fw->size)
return 0;
- if (size < fw->size)
- size = fw->size;
for (len = 0; len < fw->size; len++) {
if (!*p)
--
1.7.3.4
Takashi Iwai
Nov 1, 2011, 4:50:01 AM11/1/11
to
At Tue, 1 Nov 2011 09:40:07 +0100,
Takashi
Alexander Stein wrote:
>
> If a line in the firmware file is larger than the given buffer size (and
> so the firmware file size), size is set to a value larger than the actual
> buffer size. This results in an overflow in the buffer passed.
>
> Signed-off-by: Alexander Stein <alexand...@systec-electronic.com>
> ---
> Changes in v2:
> * Just remove the erroneous check
Thanks, applied now.
>
> If a line in the firmware file is larger than the given buffer size (and
> so the firmware file size), size is set to a value larger than the actual
> buffer size. This results in an overflow in the buffer passed.
>
> Signed-off-by: Alexander Stein <alexand...@systec-electronic.com>
> ---
> Changes in v2:
> * Just remove the erroneous check
Takashi
0 new messages