diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2011-09-23 02:24:21 -0400 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2011-09-23 02:28:56 -0400 |
| commit | 643d6bbb9637a9b4bb47ec1a1ae3adf3ff9d75a1 (patch) | |
| tree | 672f649422ea99bd769d871aa03f7d476b23a087 /sound | |
| parent | 8e699d2cc286506c00ce8ecc67c3d7d6cca9e814 (diff) | |
ALSA: hdspm - potential info leak in snd_hdspm_hwdep_ioctl()
Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.
The status struct has a hole in it, and on some paths not all the
members were initialized.
struct hdspm_status {
unsigned char card_type; /* 0 1 */
/* XXX 3 bytes hole, try to pack */
enum hdspm_syncsource autosync_source; /* 4 4 */
long long unsigned int card_clock; /* 8 8 */
The hdspm_version struct had holes in it as well.
struct hdspm_version {
unsigned char card_type; /* 0 1 */
char cardname[20]; /* 1 20 */
/* XXX 3 bytes hole, try to pack */
unsigned int serial; /* 24 4 */
short unsigned int firmware_rev; /* 28 2 */
/* XXX 2 bytes hole, try to pack */
int addons; /* 32 4 */
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound')
| -rw-r--r-- | sound/pci/rme9652/hdspm.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c index 214110d6a2bf..bf438d121afe 100644 --- a/sound/pci/rme9652/hdspm.c +++ b/sound/pci/rme9652/hdspm.c | |||
| @@ -6227,6 +6227,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, | |||
| 6227 | break; | 6227 | break; |
| 6228 | 6228 | ||
| 6229 | case SNDRV_HDSPM_IOCTL_GET_STATUS: | 6229 | case SNDRV_HDSPM_IOCTL_GET_STATUS: |
| 6230 | memset(&status, 0, sizeof(status)); | ||
| 6231 | |||
| 6230 | status.card_type = hdspm->io_type; | 6232 | status.card_type = hdspm->io_type; |
| 6231 | 6233 | ||
| 6232 | status.autosync_source = hdspm_autosync_ref(hdspm); | 6234 | status.autosync_source = hdspm_autosync_ref(hdspm); |
| @@ -6266,6 +6268,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, | |||
| 6266 | break; | 6268 | break; |
| 6267 | 6269 | ||
| 6268 | case SNDRV_HDSPM_IOCTL_GET_VERSION: | 6270 | case SNDRV_HDSPM_IOCTL_GET_VERSION: |
| 6271 | memset(&hdspm_version, 0, sizeof(hdspm_version)); | ||
| 6272 | |||
| 6269 | hdspm_version.card_type = hdspm->io_type; | 6273 | hdspm_version.card_type = hdspm->io_type; |
| 6270 | strncpy(hdspm_version.cardname, hdspm->card_name, | 6274 | strncpy(hdspm_version.cardname, hdspm->card_name, |
| 6271 | sizeof(hdspm_version.cardname)); | 6275 | sizeof(hdspm_version.cardname)); |