aboutsummaryrefslogtreecommitdiffstats
path: root/sound
diff options
context:
space:
mode:
authorDan Rosenberg <drosenberg@vsecurity.com>2011-03-17 18:32:24 -0400
committerTakashi Iwai <tiwai@suse.de>2011-03-18 07:38:29 +0100
commit4a122c10fbfe9020df469f0f669da129c5757671 (patch)
tree57a707d3331c59f18f65dd9dfc1610944e461d7d /sound
parent98d21df431ad55281e1abf780f8d51e3391900b2 (diff)
downloadkernel_samsung_espresso10-4a122c10fbfe9020df469f0f669da129c5757671.zip
kernel_samsung_espresso10-4a122c10fbfe9020df469f0f669da129c5757671.tar.gz
kernel_samsung_espresso10-4a122c10fbfe9020df469f0f669da129c5757671.tar.bz2
ALSA: sound/pci/asihpi: check adapter index in hpi_ioctl
The user-supplied index into the adapters array needs to be checked, or an out-of-bounds kernel pointer could be accessed and used, leading to potentially exploitable memory corruption. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound')
-rw-r--r--sound/pci/asihpi/hpioctl.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 26186be..cd624f1 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -156,6 +156,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
goto out;
}
+ if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
+ err = -EINVAL;
+ goto out;
+ }
+
pa = &adapters[hm->h.adapter_index];
hr->h.size = res_max_size;
if (hm->h.object == HPI_OBJ_SUBSYSTEM) {