projects / GitHub / LineageOS / G12 / android_kernel_amlogic_linux-4.9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0407e79)
ALSA: line6: fix stack overflow in line6_midi_transmit
authorArtem Egorkine <arteme@gmail.com>
Sun, 25 Dec 2022 10:57:28 +0000 (12:57 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 7 Jan 2023 11:07:35 +0000 (12:07 +0100)
commit b8800d324abb50160560c636bfafe2c81001b66c upstream.

Correctly calculate available space including the size of the chunk
buffer. This fixes a buffer overflow when multiple MIDI sysex
messages are sent to a PODxt device.

Signed-off-by: Artem Egorkine <arteme@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221225105728.1153989-2-arteme@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
sound/usb/line6/midi.c patch | blob | blame | history

diff --git a/sound/usb/line6/midi.c b/sound/usb/line6/midi.c
index 10cc3208d0698a54c40ad47600f1ca8499f2716a..b908be4d347b6bdb4c1f6975387d73b04ba191a8 100644 (file)
--- a/sound/usb/line6/midi.c
+++ b/sound/usb/line6/midi.c
@@ -48,7 +48,8 @@ static void line6_midi_transmit(struct snd_rawmidi_substream *substream)
        int req, done;
 
        for (;;) {
-               req = min(line6_midibuf_bytes_free(mb), line6->max_packet_size);
+               req = min3(line6_midibuf_bytes_free(mb), line6->max_packet_size,
+                          LINE6_FALLBACK_MAXPACKETSIZE);
                done = snd_rawmidi_transmit_peek(substream, chunk, req);
 
                if (done == 0)