From patchwork Wed Dec 31 06:26:51 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eliot Blennerhassett <eliot@blennerhassett.gen.nz>
X-Patchwork-Id: 5554281
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Original-To: patchwork-alsa-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id C7215BF6C3
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed, 31 Dec 2014 06:27:19 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id ECE69201B4
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed, 31 Dec 2014 06:27:18 +0000 (UTC)
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.kernel.org (Postfix) with ESMTP id 4B7542017D
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed, 31 Dec 2014 06:27:17 +0000 (UTC)
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 40D8426109C; Wed, 31 Dec 2014 07:27:15 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
Received: from alsa0.perex.cz (localhost [IPv6:::1])
	by alsa0.perex.cz (Postfix) with ESMTP id E750A2608C9;
	Wed, 31 Dec 2014 07:27:04 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 521242608C9; Wed, 31 Dec 2014 07:27:03 +0100 (CET)
Received: from omr.mail.isx.net.nz (omr.mail.isx.net.nz [111.65.230.130])
	by alsa0.perex.cz (Postfix) with ESMTP id 0D1942608AB
	for <alsa-devel@alsa-project.org>;
	Wed, 31 Dec 2014 07:26:54 +0100 (CET)
Received: from eliot.lan (unknown [121.72.250.62])
	(Authenticated sender: eliot@blennerhassett.gen.nz)
	by omr.mail.isx.net.nz (Postfix) with ESMTPA id 5764CAE7165;
	Wed, 31 Dec 2014 19:26:51 +1300 (NZDT)
Message-ID: <54A3972B.5010703@blennerhassett.gen.nz>
Date: Wed, 31 Dec 2014 19:26:51 +1300
From: Eliot Blennerhassett <eliot@blennerhassett.gen.nz>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Takashi Iwai <tiwai@suse.de>, Dan Carpenter <dan.carpenter@oracle.com>
References: <20141222074946.GA9737@mwanda> <s5hmw6ais9g.wl-tiwai@suse.de>
	<54A25D49.4000502@blennerhassett.gen.nz>
In-Reply-To: <54A25D49.4000502@blennerhassett.gen.nz>
Cc: alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org
Subject: Re: [alsa-devel] [patch] ALSA: asihpi: fix an information leak in
	asihpi_hpi_ioctl()
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

Add missing limits to keep copied data within allocated buffer.

Signed-off-by: Eliot Blennerhassett <eliot@blennerhassett.gen.nz>
---
 sound/pci/asihpi/hpi6000.c | 6 +++++-
 sound/pci/asihpi/hpioctl.c | 2 ++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/sound/pci/asihpi/hpi6000.c b/sound/pci/asihpi/hpi6000.c
index e0c6715..794df30 100644
--- a/sound/pci/asihpi/hpi6000.c
+++ b/sound/pci/asihpi/hpi6000.c
@@ -46,6 +46,7 @@
 
 /* operational/messaging errors */
 #define HPI6000_ERROR_MSG_RESP_IDLE_TIMEOUT		901
+#define HPI6000_ERROR_RESP_GET_LEN			902
 #define HPI6000_ERROR_MSG_RESP_GET_RESP_ACK		903
 #define HPI6000_ERROR_MSG_GET_ADR			904
 #define HPI6000_ERROR_RESP_GET_ADR			905
@@ -1363,7 +1364,10 @@ static short hpi6000_message_response_sequence(struct hpi_adapter_obj *pao,
 		length = hpi_read_word(pdo, HPI_HIF_ADDR(length));
 	} while (hpi6000_check_PCI2040_error_flag(pao, H6READ) && --timeout);
 	if (!timeout)
-		length = sizeof(struct hpi_response);
+		return HPI6000_ERROR_RESP_GET_LEN;
+
+	if (length > phr->size)
+		return HPI_ERROR_RESPONSE_BUFFER_TOO_SMALL;
 
 	/* get the response */
 	p_data = (u32 *)phr;
diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 6aa677e..72af66b 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -153,6 +153,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		goto out;
 	}
 
+	res_max_size = min_t(size_t, res_max_size, sizeof(*hr));
+
 	switch (hm->h.function) {
 	case HPI_SUBSYS_CREATE_ADAPTER:
 	case HPI_ADAPTER_DELETE: