ALSA: asihpi: fix an information leak in asihpi_hpi_ioctl()

Add missing limits to keep copied data within allocated buffer.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Eliot Blennerhassett <eliot@blennerhassett.gen.nz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/pci/asihpi/hpi6000.c b/sound/pci/asihpi/hpi6000.c
index 2414d7a2239d325b95cf08077654fad970343f22..2d6364825d4d2a05a81002253b4556ef6999ca10 100644 (file)
--- a/sound/pci/asihpi/hpi6000.c
+++ b/sound/pci/asihpi/hpi6000.c
@@ -47,7 +47,7 @@
 
 /* operational/messaging errors */
 #define HPI6000_ERROR_MSG_RESP_IDLE_TIMEOUT             901
-
+#define HPI6000_ERROR_RESP_GET_LEN                      902
 #define HPI6000_ERROR_MSG_RESP_GET_RESP_ACK             903
 #define HPI6000_ERROR_MSG_GET_ADR                       904
 #define HPI6000_ERROR_RESP_GET_ADR                      905
@@ -1365,7 +1365,10 @@ static short hpi6000_message_response_sequence(struct hpi_adapter_obj *pao,
                length = hpi_read_word(pdo, HPI_HIF_ADDR(length));
        } while (hpi6000_check_PCI2040_error_flag(pao, H6READ) && --timeout);
        if (!timeout)
-               length = sizeof(struct hpi_response);
+               return HPI6000_ERROR_RESP_GET_LEN;
+
+       if (length > phr->size)
+               return HPI_ERROR_RESPONSE_BUFFER_TOO_SMALL;
 
        /* get the response */
        p_data = (u32 *)phr;

diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 6aa677e60555723058acb4a8c0a9cdc5deb17aa5..72af66bdf7149ecaef5a30dd3b4a9736463102e9 100644 (file)
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -153,6 +153,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                goto out;
        }
 
+       res_max_size = min_t(size_t, res_max_size, sizeof(*hr));
+
        switch (hm->h.function) {
        case HPI_SUBSYS_CREATE_ADAPTER:
        case HPI_ADAPTER_DELETE: