Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 444c1953d496d272208902ff7010dc70d1f887f0

Authored by Dan Carpenter
Committed by Jaroslav Kysela
1 parent 440b004cf9
Exists in master and in 7 other branches imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-l5.0.0_1.0.0-ga

sound: oss: off by one bug 

The problem is that in the original code sound_nblocks could go up to 1024
which would be an array overflow.

This was found with a static checker and has been compile tested only.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>

Showing 3 changed files with 13 additions and 9 deletions Side-by-side Diff

sound/oss/dev_table.c
Diff comments   View file @ 444c195
... ... @@ -67,14 +67,15 @@
67 67 return -(EBUSY);
68 68 }
69 69 d = (struct audio_driver *) (sound_mem_blocks[sound_nblocks] = vmalloc(sizeof(struct audio_driver)));
  70 + sound_nblocks++;
  71 + if (sound_nblocks >= MAX_MEM_BLOCKS)
  72 + sound_nblocks = MAX_MEM_BLOCKS - 1;
70 73  
71   - if (sound_nblocks < 1024)
72   - sound_nblocks++;
73   -
74 74 op = (struct audio_operations *) (sound_mem_blocks[sound_nblocks] = vmalloc(sizeof(struct audio_operations)));
  75 + sound_nblocks++;
  76 + if (sound_nblocks >= MAX_MEM_BLOCKS)
  77 + sound_nblocks = MAX_MEM_BLOCKS - 1;
75 78  
76   - if (sound_nblocks < 1024)
77   - sound_nblocks++;
78 79 if (d == NULL || op == NULL) {
79 80 printk(KERN_ERR "Sound: Can't allocate driver for (%s)\n", name);
80 81 sound_unload_audiodev(num);
81 82  
... ... @@ -128,9 +129,10 @@
128 129 until you unload sound! */
129 130  
130 131 op = (struct mixer_operations *) (sound_mem_blocks[sound_nblocks] = vmalloc(sizeof(struct mixer_operations)));
  132 + sound_nblocks++;
  133 + if (sound_nblocks >= MAX_MEM_BLOCKS)
  134 + sound_nblocks = MAX_MEM_BLOCKS - 1;
131 135  
132   - if (sound_nblocks < 1024)
133   - sound_nblocks++;
134 136 if (op == NULL) {
135 137 printk(KERN_ERR "Sound: Can't allocate mixer driver for (%s)\n", name);
136 138 return -ENOMEM;
sound/oss/sound_config.h
Diff comments   View file @ 444c195
... ... @@ -142,5 +142,7 @@
142 142 #define TIMER_ARMED 121234
143 143 #define TIMER_NOT_ARMED 1
144 144  
  145 +#define MAX_MEM_BLOCKS 1024
  146 +
145 147 #endif
sound/oss/soundcard.c
Diff comments   View file @ 444c195
... ... @@ -56,7 +56,7 @@
56 56 /*
57 57 * Table for permanently allocated memory (used when unloading the module)
58 58 */
59   -void * sound_mem_blocks[1024];
  59 +void * sound_mem_blocks[MAX_MEM_BLOCKS];
60 60 int sound_nblocks = 0;
61 61  
62 62 /* Persistent DMA buffers */
... ... @@ -574,7 +574,7 @@
574 574 NULL, "%s%d", dev_list[i].name, j);
575 575 }
576 576  
577   - if (sound_nblocks >= 1024)
  577 + if (sound_nblocks >= MAX_MEM_BLOCKS - 1)
578 578 printk(KERN_ERR "Sound warning: Deallocation table was too small.\n");
579 579  
580 580 return 0;