From patchwork Sat Nov 23 06:15:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: GitHub issues - opened X-Patchwork-Id: 13883764 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 98196E6ADE2 for ; Sat, 23 Nov 2024 06:16:09 +0000 (UTC) Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id F30C414E9; Sat, 23 Nov 2024 07:15:56 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz F30C414E9 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1732342567; bh=ESDzv5/UHxBjBa2diSrueMWyljiTRmo+CnhAYPaTv5A=; h=From:To:In-Reply-To:References:Subject:Date:List-Id:List-Archive: List-Help:List-Owner:List-Post:List-Subscribe:List-Unsubscribe: From; b=JARc7rIqUvuC40TJ0bYhov/zq+8xJNun2HGxH6QI2jRLMfPKFQgjF55eLtK3ujZ5a ytilmeATYJ+ckcXiVn8QT+/ZCyPZ30pZLBoy+2VFei5PFb7YNF0D/RsOE8X4xrrECk RYpBApwP7t4uFnk1VNZSS8jlGX3917GGFsqEv13I= Received: by alsa1.perex.cz (Postfix, from userid 50401) id 0FD8CF805BA; Sat, 23 Nov 2024 07:15:32 +0100 (CET) Received: from mailman-core.alsa-project.org (mailman-core.alsa-project.org [10.254.200.10]) by alsa1.perex.cz (Postfix) with ESMTP id 6D3C4F805B6; Sat, 23 Nov 2024 07:15:32 +0100 (CET) Received: by alsa1.perex.cz (Postfix, from userid 50401) id 64127F80533; Sat, 23 Nov 2024 07:15:19 +0100 (CET) Received: from webhooks-bot.alsa-project.org (vmi242170.contaboserver.net [207.180.221.201]) by alsa1.perex.cz (Postfix) with ESMTP id AD371F80166 for ; Sat, 23 Nov 2024 07:15:17 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz AD371F80166 MIME-Version: 1.0 From: GitHub issues - opened To: alsa-devel@alsa-project.org In-Reply-To: <1732342517061112881-webhooks-bot@alsa-project.org> References: <1732342517061112881-webhooks-bot@alsa-project.org> Subject: TLVs with (size % 4) != 0 make amixer and alsactl crash Message-Id: <20241123061519.64127F80533@alsa1.perex.cz> Date: Sat, 23 Nov 2024 07:15:19 +0100 (CET) Message-ID-Hash: 6LTOVNITLVZSY56EW2B5UOTBU2H6I6IE X-Message-ID-Hash: 6LTOVNITLVZSY56EW2B5UOTBU2H6I6IE X-MailFrom: github@alsa-project.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-alsa-devel.alsa-project.org-0; header-match-alsa-devel.alsa-project.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: alsa-project/alsa-utils issue #282 was opened from geoffreybennett: While trying to figure out how TLVs work, I found that if the length field is not a multiple of 4 then amixer and alsactl keep reading past the end of the buffer until they segfault, because size is unsigned. One example here: ``` ``` Issue URL : https://github.com/alsa-project/alsa-utils/issues/282 Repository URL: https://github.com/alsa-project/alsa-utils diff --git a/amixer/amixer.c b/amixer/amixer.c index 8b8000b..03cc9cb 100644 --- a/amixer/amixer.c +++ b/amixer/amixer.c @@ -587,7 +587,7 @@ static void decode_tlv(unsigned int spaces, unsigned int *tlv, unsigned int tlv_ #endif default: printf("unk-%u-", type); - while (size > 0) { + while (size >= sizeof(unsigned int)) { printf("0x%08x,", tlv[idx++]); size -= sizeof(unsigned int); }