From 0d02e1292715d00674a49626146e3a854b504cb1 Mon Sep 17 00:00:00 2001 From: Eliot Blennerhassett Date: Wed, 31 Dec 2014 23:48:32 +1300 Subject: [PATCH] ALSA: asihpi: fix an information leak in asihpi_hpi_ioctl() Add missing limits to keep copied data within allocated buffer. Reported-by: Dan Carpenter Signed-off-by: Eliot Blennerhassett Signed-off-by: Takashi Iwai --- sound/pci/asihpi/hpi6000.c | 7 +++++-- sound/pci/asihpi/hpioctl.c | 2 ++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/sound/pci/asihpi/hpi6000.c b/sound/pci/asihpi/hpi6000.c index 2414d7a2239d..2d6364825d4d 100644 --- a/sound/pci/asihpi/hpi6000.c +++ b/sound/pci/asihpi/hpi6000.c @@ -47,7 +47,7 @@ /* operational/messaging errors */ #define HPI6000_ERROR_MSG_RESP_IDLE_TIMEOUT 901 - +#define HPI6000_ERROR_RESP_GET_LEN 902 #define HPI6000_ERROR_MSG_RESP_GET_RESP_ACK 903 #define HPI6000_ERROR_MSG_GET_ADR 904 #define HPI6000_ERROR_RESP_GET_ADR 905 @@ -1365,7 +1365,10 @@ static short hpi6000_message_response_sequence(struct hpi_adapter_obj *pao, length = hpi_read_word(pdo, HPI_HIF_ADDR(length)); } while (hpi6000_check_PCI2040_error_flag(pao, H6READ) && --timeout); if (!timeout) - length = sizeof(struct hpi_response); + return HPI6000_ERROR_RESP_GET_LEN; + + if (length > phr->size) + return HPI_ERROR_RESPONSE_BUFFER_TOO_SMALL; /* get the response */ p_data = (u32 *)phr; diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c index 6aa677e60555..72af66bdf714 100644 --- a/sound/pci/asihpi/hpioctl.c +++ b/sound/pci/asihpi/hpioctl.c @@ -153,6 +153,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) goto out; } + res_max_size = min_t(size_t, res_max_size, sizeof(*hr)); + switch (hm->h.function) { case HPI_SUBSYS_CREATE_ADAPTER: case HPI_ADAPTER_DELETE: -- 2.20.1