diff options
author | Takashi Sakamoto <o-takashi@sakamocchi.jp> | 2015-05-27 17:02:59 +0200 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2015-05-27 17:44:42 +0200 |
commit | 31ea49baa1aa97f882ee3da8142ec5a9dac509c2 (patch) | |
tree | 44c8c4280852fb0cbabe9820a6f5e959abbdc4e0 /ipc | |
parent | sound: sound_firmware: Fix invalid use of vfs_read() (diff) | |
download | linux-31ea49baa1aa97f882ee3da8142ec5a9dac509c2.tar.xz linux-31ea49baa1aa97f882ee3da8142ec5a9dac509c2.zip |
ALSA: firewire-lib: fix buffer-over-run when detecting packet discontinuity
When detecting packet discontinuity, handle_in_packet() returns minus value
and this value is assigned to unsigned int variable, then the variable has
huge value. As a result, the variable causes buffer-over-run in
handle_out_packet(). This brings invalid page request and system hangup.
This commit fixes the bug to add a new argument into handle_in_packet()
and the number of handled data blocks is assignd to it. The function
return value is just used to check error.
I also considered to change the type of local variable to 'int' in
in_stream_callback(). This idea is based on type-conversion in C standard,
while it may cause future problems when adding more works. Thus, I dropped
this idea.
Fixes: 6fc6b9ce41c6('ALSA: firewire-lib: pass the number of data blocks in incoming packets to outgoing packets')
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'ipc')
0 files changed, 0 insertions, 0 deletions