Commit 365c843b authored by Lars-Peter Clausen's avatar Lars-Peter Clausen Committed by Willy Tarreau

ALSA: control: Make sure that id->index does not overflow

The ALSA control code expects that the range of assigned indices to a control is
continuous and does not overflow. Currently there are no checks to enforce this.
If a control with a overflowing index range is created that control becomes
effectively inaccessible and unremovable since snd_ctl_find_id() will not be
able to find it. This patch adds a check that makes sure that controls with a
overflowing index range can not be created.
Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
Acked-by: default avatarJaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
(cherry picked from commit 883a1d49)
[wt: part 1 of CVE-2014-4656 fix]
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
parent 9ff558c6
...@@ -328,6 +328,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) ...@@ -328,6 +328,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
if (snd_BUG_ON(!card || !kcontrol->info)) if (snd_BUG_ON(!card || !kcontrol->info))
goto error; goto error;
id = kcontrol->id; id = kcontrol->id;
if (id.index > UINT_MAX - kcontrol->count)
goto error;
down_write(&card->controls_rwsem); down_write(&card->controls_rwsem);
if (snd_ctl_find_id(card, &id)) { if (snd_ctl_find_id(card, &id)) {
up_write(&card->controls_rwsem); up_write(&card->controls_rwsem);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment