diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2011-09-23 09:24:21 +0300 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2011-09-23 08:28:56 +0200 |
commit | 643d6bbb9637a9b4bb47ec1a1ae3adf3ff9d75a1 (patch) | |
tree | 672f649422ea99bd769d871aa03f7d476b23a087 /sound/pci | |
parent | 8e699d2cc286506c00ce8ecc67c3d7d6cca9e814 (diff) | |
download | op-kernel-dev-643d6bbb9637a9b4bb47ec1a1ae3adf3ff9d75a1.zip op-kernel-dev-643d6bbb9637a9b4bb47ec1a1ae3adf3ff9d75a1.tar.gz |
ALSA: hdspm - potential info leak in snd_hdspm_hwdep_ioctl()
Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.
The status struct has a hole in it, and on some paths not all the
members were initialized.
struct hdspm_status {
unsigned char card_type; /* 0 1 */
/* XXX 3 bytes hole, try to pack */
enum hdspm_syncsource autosync_source; /* 4 4 */
long long unsigned int card_clock; /* 8 8 */
The hdspm_version struct had holes in it as well.
struct hdspm_version {
unsigned char card_type; /* 0 1 */
char cardname[20]; /* 1 20 */
/* XXX 3 bytes hole, try to pack */
unsigned int serial; /* 24 4 */
short unsigned int firmware_rev; /* 28 2 */
/* XXX 2 bytes hole, try to pack */
int addons; /* 32 4 */
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/pci')
-rw-r--r-- | sound/pci/rme9652/hdspm.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c index 214110d..bf438d1 100644 --- a/sound/pci/rme9652/hdspm.c +++ b/sound/pci/rme9652/hdspm.c @@ -6227,6 +6227,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, break; case SNDRV_HDSPM_IOCTL_GET_STATUS: + memset(&status, 0, sizeof(status)); + status.card_type = hdspm->io_type; status.autosync_source = hdspm_autosync_ref(hdspm); @@ -6266,6 +6268,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, break; case SNDRV_HDSPM_IOCTL_GET_VERSION: + memset(&hdspm_version, 0, sizeof(hdspm_version)); + hdspm_version.card_type = hdspm->io_type; strncpy(hdspm_version.cardname, hdspm->card_name, sizeof(hdspm_version.cardname)); |