diff mbox series

ALSA: firewire-digi00x: prevent potential use after free

Message ID c224cbd5-d9e2-4cd4-9bcf-2138eb1d35c6@kili.mountain (mailing list archive)
State Accepted
Commit c0e72058d5e21982e61a29de6b098f7c1f0db498
Headers show
Series ALSA: firewire-digi00x: prevent potential use after free | expand

Commit Message

Dan Carpenter May 9, 2023, 9:07 a.m. UTC
This code was supposed to return an error code if init_stream()
failed, but it instead freed dg00x->rx_stream and returned success.
This potentially leads to a use after free.

Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 sound/firewire/digi00x/digi00x-stream.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Takashi Iwai May 12, 2023, 8:18 a.m. UTC | #1
On Tue, 09 May 2023 11:07:11 +0200,
Dan Carpenter wrote:
> 
> This code was supposed to return an error code if init_stream()
> failed, but it instead freed dg00x->rx_stream and returned success.
> This potentially leads to a use after free.
> 
> Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Thanks, applied now.


Takashi
Takashi Sakamoto May 12, 2023, 1:44 p.m. UTC | #2
Hi,

On Fri, May 12, 2023 at 10:18:54AM +0200, Takashi Iwai wrote:
> On Tue, 09 May 2023 11:07:11 +0200,
> Dan Carpenter wrote:
> > 
> > This code was supposed to return an error code if init_stream()
> > failed, but it instead freed dg00x->rx_stream and returned success.
> > This potentially leads to a use after free.
> > 
> > Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain")
> > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> 
> Thanks, applied now.

I overlooked the patch. It looks good to me as well.

Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>


Thanks

Takashi Sakamoto
diff mbox series

Patch

diff --git a/sound/firewire/digi00x/digi00x-stream.c b/sound/firewire/digi00x/digi00x-stream.c
index a15f55b0dce3..295163bb8abb 100644
--- a/sound/firewire/digi00x/digi00x-stream.c
+++ b/sound/firewire/digi00x/digi00x-stream.c
@@ -259,8 +259,10 @@  int snd_dg00x_stream_init_duplex(struct snd_dg00x *dg00x)
 		return err;
 
 	err = init_stream(dg00x, &dg00x->tx_stream);
-	if (err < 0)
+	if (err < 0) {
 		destroy_stream(dg00x, &dg00x->rx_stream);
+		return err;
+	}
 
 	err = amdtp_domain_init(&dg00x->domain);
 	if (err < 0) {