diff options
| author | Dan Carpenter <error27@gmail.com> | 2010-01-03 06:39:27 -0500 |
|---|---|---|
| committer | Jaroslav Kysela <perex@perex.cz> | 2010-01-08 03:17:51 -0500 |
| commit | 444c1953d496d272208902ff7010dc70d1f887f0 (patch) | |
| tree | 40aa1e10f108818b3b7d12384229c0501aeb5a12 /sound/oss/soundcard.c | |
| parent | 440b004cf953bec2bc8cd91c64ae707fd7e25327 (diff) | |
sound: oss: off by one bug
The problem is that in the original code sound_nblocks could go up to 1024
which would be an array overflow.
This was found with a static checker and has been compile tested only.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Diffstat (limited to 'sound/oss/soundcard.c')
| -rw-r--r-- | sound/oss/soundcard.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c index 61aaedae6b7e..c62530943888 100644 --- a/sound/oss/soundcard.c +++ b/sound/oss/soundcard.c | |||
| @@ -56,7 +56,7 @@ | |||
| 56 | /* | 56 | /* |
| 57 | * Table for permanently allocated memory (used when unloading the module) | 57 | * Table for permanently allocated memory (used when unloading the module) |
| 58 | */ | 58 | */ |
| 59 | void * sound_mem_blocks[1024]; | 59 | void * sound_mem_blocks[MAX_MEM_BLOCKS]; |
| 60 | int sound_nblocks = 0; | 60 | int sound_nblocks = 0; |
| 61 | 61 | ||
| 62 | /* Persistent DMA buffers */ | 62 | /* Persistent DMA buffers */ |
| @@ -574,7 +574,7 @@ static int __init oss_init(void) | |||
| 574 | NULL, "%s%d", dev_list[i].name, j); | 574 | NULL, "%s%d", dev_list[i].name, j); |
| 575 | } | 575 | } |
| 576 | 576 | ||
| 577 | if (sound_nblocks >= 1024) | 577 | if (sound_nblocks >= MAX_MEM_BLOCKS - 1) |
| 578 | printk(KERN_ERR "Sound warning: Deallocation table was too small.\n"); | 578 | printk(KERN_ERR "Sound warning: Deallocation table was too small.\n"); |
| 579 | 579 | ||
| 580 | return 0; | 580 | return 0; |