From: Dan Carpenter Date: Wed, 27 Jul 2011 12:02:26 +0000 (+0300) Subject: ALSA: asihpi - off by one in asihpi_hpi_ioctl() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=ae6ff61e43fe4f348a7f764ff0c13fb4240da7b8;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git ALSA: asihpi - off by one in asihpi_hpi_ioctl() "adapter" is used as an array index in the adapters[] array so the off by one would make us read past the end. 1c073b67979 "ALSA: asihpi - Remove spurious adapter index check" reverted Dan Rosenberg's check that would have prevented the overflow here. Signed-off-by: Dan Carpenter Signed-off-by: Takashi Iwai --- diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c index e0cff0c72e51..9683f84ecdc8 100644 --- a/sound/pci/asihpi/hpioctl.c +++ b/sound/pci/asihpi/hpioctl.c @@ -183,7 +183,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) u32 adapter = hm->h.adapter_index; struct hpi_adapter *pa = &adapters[adapter]; - if ((adapter > HPI_MAX_ADAPTERS) || (!pa->type)) { + if ((adapter >= HPI_MAX_ADAPTERS) || (!pa->type)) { hpi_init_response(&hr->r0, HPI_OBJ_ADAPTER, HPI_ADAPTER_OPEN, HPI_ERROR_BAD_ADAPTER_NUMBER);