summaryrefslogtreecommitdiffstats
path: root/init
diff options
context:
space:
mode:
authorMeng Xu <mengxu.gatech@gmail.com>2017-09-19 01:21:56 -0400
committerTakashi Iwai <tiwai@suse.de>2017-09-19 22:03:59 +0200
commite1af344df4e5c8fe90f4a63235a68d5405afc41b (patch)
treeb230497f54de3a989062c5cb983ef1bed9507074 /init
parenta931b9ce93841a5b66b709ba5a244276e345e63b (diff)
downloadlinux-e1af344df4e5c8fe90f4a63235a68d5405afc41b.tar.bz2
ALSA: asihpi: fix a potential double-fetch bug when copying puhm
The hm->h.size is intended to hold the actual size of the hm struct that is copied from userspace and should always be <= sizeof(*hm). However, after copy_from_user(hm, puhm, hm->h.size), since userspace process has full control over the memory region pointed by puhm, it is possible that the value of hm->h.size is different from what is fetched-in previously (get_user(hm->h.size, (u16 __user *)puhm)). In other words, hm->h.size is overriden and the relation between hm->h.size and the hm struct is broken. This patch proposes to use a seperate variable, msg_size, to hold the value of the first fetch and override hm->h.size to msg_size after the second fetch to maintain the relation. Signed-off-by: Meng Xu <mengxu.gatech@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'init')
0 files changed, 0 insertions, 0 deletions