summaryrefslogtreecommitdiff
path: root/sound/oss/sequencer.c
diff options
context:
space:
mode:
authorDan Rosenberg <drosenberg@vsecurity.com>2011-03-23 17:53:41 +0300
committerTakashi Iwai <tiwai@suse.de>2011-03-24 00:47:46 +0300
commitb769f49463711205d57286e64cf535ed4daf59e9 (patch)
tree1c674fdbed533434d2ba9b7b1b3646243160e55c /sound/oss/sequencer.c
parentce24f58a1187ca3058d72c3f897e3b574209ab20 (diff)
downloadlinux-b769f49463711205d57286e64cf535ed4daf59e9.tar.xz
sound/oss: remove offset from load_patch callbacks
Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of uninitialized value, and signedness issue The offset passed to midi_synth_load_patch() can be essentially arbitrary. If it's greater than the header length, this will result in a copy_from_user(dst, src, negative_val). While this will just return -EFAULT on x86, on other architectures this may cause memory corruption. Additionally, the length field of the sysex_info structure may not be initialized prior to its use. Finally, a signed comparison may result in an unintentionally large loop. On suggestion by Takashi Iwai, version two removes the offset argument from the load_patch callbacks entirely, which also resolves similar issues in opl3. Compile tested only. v3 adjusts comments and hopefully gets copy offsets right. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/oss/sequencer.c')
-rw-r--r--sound/oss/sequencer.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/sound/oss/sequencer.c b/sound/oss/sequencer.c
index 5ea1098ac427..30bcfe470f83 100644
--- a/sound/oss/sequencer.c
+++ b/sound/oss/sequencer.c
@@ -241,7 +241,7 @@ int sequencer_write(int dev, struct file *file, const char __user *buf, int coun
return -ENXIO;
fmt = (*(short *) &event_rec[0]) & 0xffff;
- err = synth_devs[dev]->load_patch(dev, fmt, buf, p + 4, c, 0);
+ err = synth_devs[dev]->load_patch(dev, fmt, buf + p, c, 0);
if (err < 0)
return err;