Commit ae6ff61e authored by Dan Carpenter's avatar Dan Carpenter Committed by Takashi Iwai

ALSA: asihpi - off by one in asihpi_hpi_ioctl()

"adapter" is used as an array index in the adapters[] array so
the off by one would make us read past the end.

1c073b67 "ALSA: asihpi - Remove spurious adapter index check"
reverted Dan Rosenberg's check that would have prevented the
overflow here.
Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 60a6a842
...@@ -183,7 +183,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) ...@@ -183,7 +183,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
u32 adapter = hm->h.adapter_index; u32 adapter = hm->h.adapter_index;
struct hpi_adapter *pa = &adapters[adapter]; struct hpi_adapter *pa = &adapters[adapter];
if ((adapter > HPI_MAX_ADAPTERS) || (!pa->type)) { if ((adapter >= HPI_MAX_ADAPTERS) || (!pa->type)) {
hpi_init_response(&hr->r0, HPI_OBJ_ADAPTER, hpi_init_response(&hr->r0, HPI_OBJ_ADAPTER,
HPI_ADAPTER_OPEN, HPI_ADAPTER_OPEN,
HPI_ERROR_BAD_ADAPTER_NUMBER); HPI_ERROR_BAD_ADAPTER_NUMBER);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment