From 7fba24c6c99b514716fd069094799df035f46054 Mon Sep 17 00:00:00 2001 From: Lars-Peter Clausen Date: Wed, 18 Jun 2014 13:32:35 +0200 Subject: [PATCH] ALSA: control: Make sure that id->index does not overflow commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream. The ALSA control code expects that the range of assigned indices to a control is continuous and does not overflow. Currently there are no checks to enforce this. If a control with a overflowing index range is created that control becomes effectively inaccessible and unremovable since snd_ctl_find_id() will not be able to find it. This patch adds a check that makes sure that controls with a overflowing index range can not be created. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/control.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sound/core/control.c b/sound/core/control.c index 93215b4bec6b..98a29b26c5f4 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -343,6 +343,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) if (snd_BUG_ON(!card || !kcontrol->info)) goto error; id = kcontrol->id; + if (id.index > UINT_MAX - kcontrol->count) + goto error; + down_write(&card->controls_rwsem); if (snd_ctl_find_id(card, &id)) { up_write(&card->controls_rwsem); -- 2.20.1