| Message ID | 54A3972B.5010703@blennerhassett.gen.nz (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
At Wed, 31 Dec 2014 19:26:51 +1300, Eliot Blennerhassett wrote: > > Add missing limits to keep copied data within allocated buffer. > > Signed-off-by: Eliot Blennerhassett <eliot@blennerhassett.gen.nz> hpi6000.c changes can't be applied. I guess it's for your development branch? Please split and send the currently applicable one (for hpioctl.c) for merging to 3.19-rc kernel, and include the rest to the next update batch. thanks, Takashi > --- > sound/pci/asihpi/hpi6000.c | 6 +++++- > sound/pci/asihpi/hpioctl.c | 2 ++ > 2 files changed, 7 insertions(+), 1 deletion(-) > > diff --git a/sound/pci/asihpi/hpi6000.c b/sound/pci/asihpi/hpi6000.c > index e0c6715..794df30 100644 > --- a/sound/pci/asihpi/hpi6000.c > +++ b/sound/pci/asihpi/hpi6000.c > @@ -46,6 +46,7 @@ > > /* operational/messaging errors */ > #define HPI6000_ERROR_MSG_RESP_IDLE_TIMEOUT 901 > +#define HPI6000_ERROR_RESP_GET_LEN 902 > #define HPI6000_ERROR_MSG_RESP_GET_RESP_ACK 903 > #define HPI6000_ERROR_MSG_GET_ADR 904 > #define HPI6000_ERROR_RESP_GET_ADR 905 > @@ -1363,7 +1364,10 @@ static short hpi6000_message_response_sequence(struct hpi_adapter_obj *pao, > length = hpi_read_word(pdo, HPI_HIF_ADDR(length)); > } while (hpi6000_check_PCI2040_error_flag(pao, H6READ) && --timeout); > if (!timeout) > - length = sizeof(struct hpi_response); > + return HPI6000_ERROR_RESP_GET_LEN; > + > + if (length > phr->size) > + return HPI_ERROR_RESPONSE_BUFFER_TOO_SMALL; > > /* get the response */ > p_data = (u32 *)phr; > diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c > index 6aa677e..72af66b 100644 > --- a/sound/pci/asihpi/hpioctl.c > +++ b/sound/pci/asihpi/hpioctl.c > @@ -153,6 +153,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) > goto out; > } > > + res_max_size = min_t(size_t, res_max_size, sizeof(*hr)); > + > switch (hm->h.function) { > case HPI_SUBSYS_CREATE_ADAPTER: > case HPI_ADAPTER_DELETE: > -- > 1.9.1 > >
At Wed, 31 Dec 2014 23:48:32 +1300, Eliot Blennerhassett wrote: > > Add missing limits to keep copied data within allocated buffer. > > Signed-off-by: Eliot Blennerhassett <eliot@blennerhassett.gen.nz> > --- > Regenerated, this should apply cleanly to for-next OK, applied now. Thanks. Takashi > > sound/pci/asihpi/hpi6000.c | 7 +++++-- > sound/pci/asihpi/hpioctl.c | 2 ++ > 2 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/sound/pci/asihpi/hpi6000.c b/sound/pci/asihpi/hpi6000.c > index 2414d7a..2d63648 100644 > --- a/sound/pci/asihpi/hpi6000.c > +++ b/sound/pci/asihpi/hpi6000.c > @@ -47,7 +47,7 @@ > > /* operational/messaging errors */ > #define HPI6000_ERROR_MSG_RESP_IDLE_TIMEOUT 901 > - > +#define HPI6000_ERROR_RESP_GET_LEN 902 > #define HPI6000_ERROR_MSG_RESP_GET_RESP_ACK 903 > #define HPI6000_ERROR_MSG_GET_ADR 904 > #define HPI6000_ERROR_RESP_GET_ADR 905 > @@ -1365,7 +1365,10 @@ static short hpi6000_message_response_sequence(struct hpi_adapter_obj *pao, > length = hpi_read_word(pdo, HPI_HIF_ADDR(length)); > } while (hpi6000_check_PCI2040_error_flag(pao, H6READ) && --timeout); > if (!timeout) > - length = sizeof(struct hpi_response); > + return HPI6000_ERROR_RESP_GET_LEN; > + > + if (length > phr->size) > + return HPI_ERROR_RESPONSE_BUFFER_TOO_SMALL; > > /* get the response */ > p_data = (u32 *)phr; > diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c > index 6aa677e..72af66b 100644 > --- a/sound/pci/asihpi/hpioctl.c > +++ b/sound/pci/asihpi/hpioctl.c > @@ -153,6 +153,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) > goto out; > } > > + res_max_size = min_t(size_t, res_max_size, sizeof(*hr)); > + > switch (hm->h.function) { > case HPI_SUBSYS_CREATE_ADAPTER: > case HPI_ADAPTER_DELETE: > -- > 1.9.1 > >
On Wed, Dec 31, 2014 at 07:26:51PM +1300, Eliot Blennerhassett wrote: > Add missing limits to keep copied data within allocated buffer. > Could you give me a Reported-by tag for this? regards, dan carpenter
At Mon, 5 Jan 2015 12:33:22 +0300, Dan Carpenter wrote: > > On Wed, Dec 31, 2014 at 07:26:51PM +1300, Eliot Blennerhassett wrote: > > Add missing limits to keep copied data within allocated buffer. > > > > Could you give me a Reported-by tag for this? Already done. Takashi
diff --git a/sound/pci/asihpi/hpi6000.c b/sound/pci/asihpi/hpi6000.c index e0c6715..794df30 100644 --- a/sound/pci/asihpi/hpi6000.c +++ b/sound/pci/asihpi/hpi6000.c @@ -46,6 +46,7 @@ /* operational/messaging errors */ #define HPI6000_ERROR_MSG_RESP_IDLE_TIMEOUT 901 +#define HPI6000_ERROR_RESP_GET_LEN 902 #define HPI6000_ERROR_MSG_RESP_GET_RESP_ACK 903 #define HPI6000_ERROR_MSG_GET_ADR 904 #define HPI6000_ERROR_RESP_GET_ADR 905 @@ -1363,7 +1364,10 @@ static short hpi6000_message_response_sequence(struct hpi_adapter_obj *pao, length = hpi_read_word(pdo, HPI_HIF_ADDR(length)); } while (hpi6000_check_PCI2040_error_flag(pao, H6READ) && --timeout); if (!timeout) - length = sizeof(struct hpi_response); + return HPI6000_ERROR_RESP_GET_LEN; + + if (length > phr->size) + return HPI_ERROR_RESPONSE_BUFFER_TOO_SMALL; /* get the response */ p_data = (u32 *)phr; diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c index 6aa677e..72af66b 100644 --- a/sound/pci/asihpi/hpioctl.c +++ b/sound/pci/asihpi/hpioctl.c @@ -153,6 +153,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) goto out; } + res_max_size = min_t(size_t, res_max_size, sizeof(*hr)); + switch (hm->h.function) { case HPI_SUBSYS_CREATE_ADAPTER: case HPI_ADAPTER_DELETE:
Add missing limits to keep copied data within allocated buffer. Signed-off-by: Eliot Blennerhassett <eliot@blennerhassett.gen.nz> --- sound/pci/asihpi/hpi6000.c | 6 +++++- sound/pci/asihpi/hpioctl.c | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-)