[PATCH] aedsp16: Buffer overflow

[PATCH] aedsp16: Buffer overflow

[Roel Kluin]

DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes
including terminating null.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
Found with Parfait, http://research.sun.com/projects/parfait/

on line 498:
static char     DSPVersion[CARDVERLEN + 1] __initdata = {0, };

diff --git a/sound/oss/aedsp16.c b/sound/oss/aedsp16.c
index 3ee9900..35b5912 100644
--- a/sound/oss/aedsp16.c
+++ b/sound/oss/aedsp16.c
@@ -325,8 +325,9 @@
 /*
  * Size of character arrays that store name and version of sound card
  */
-#define CARDNAMELEN 15		/* Size of the card's name in chars     */
-#define CARDVERLEN  2		/* Size of the card's version in chars  */
+#define CARDNAMELEN	15	/* Size of the card's name in chars     */
+#define CARDVERLEN	10	/* Size of the card's version in chars	*/
+#define CARDVERDIGITS	2	/* Number of digits in the version	*/
 
 #if defined(CONFIG_SC6600)
 /*
@@ -410,7 +411,7 @@
 
 static int      soft_cfg __initdata = 0;	/* bitmapped config */
 static int      soft_cfg_mss __initdata = 0;	/* bitmapped mss config */
-static int      ver[CARDVERLEN] __initdata = {0, 0};	/* DSP Ver:
+static int      ver[CARDVERDIGITS] __initdata = {0, 0};	/* DSP Ver:
 						   hi->ver[0] lo->ver[1] */
 
 #if defined(CONFIG_SC6600)
@@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port)
 	 * string is finished.
 	 */
 		ver[len++] = ret;
-	  } while (len < CARDVERLEN);
+	  } while (len < CARDVERDIGITS);
 	sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);
 
 	DBG(("success.\n"));

Re: [PATCH] aedsp16: Buffer overflow

[Takashi Iwai]

At Wed, 29 Jul 2009 11:46:59 +0200,
Roel Kluin wrote:
> 
> DSPVersion is declared as char[3], but the sprintf writes at least 4 bytes
> including terminating null.
> 
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>

Applied now.  Thanks.


Takashi

> ---
> Found with Parfait, http://research.sun.com/projects/parfait/
> 
> on line 498:
> static char     DSPVersion[CARDVERLEN + 1] __initdata = {0, };
> 
> diff --git a/sound/oss/aedsp16.c b/sound/oss/aedsp16.c
> index 3ee9900..35b5912 100644
> --- a/sound/oss/aedsp16.c
> +++ b/sound/oss/aedsp16.c
> @@ -325,8 +325,9 @@
>  /*
>   * Size of character arrays that store name and version of sound card
>   */
> -#define CARDNAMELEN 15		/* Size of the card's name in chars     */
> -#define CARDVERLEN  2		/* Size of the card's version in chars  */
> +#define CARDNAMELEN	15	/* Size of the card's name in chars     */
> +#define CARDVERLEN	10	/* Size of the card's version in chars	*/
> +#define CARDVERDIGITS	2	/* Number of digits in the version	*/
>  
>  #if defined(CONFIG_SC6600)
>  /*
> @@ -410,7 +411,7 @@
>  
>  static int      soft_cfg __initdata = 0;	/* bitmapped config */
>  static int      soft_cfg_mss __initdata = 0;	/* bitmapped mss config */
> -static int      ver[CARDVERLEN] __initdata = {0, 0};	/* DSP Ver:
> +static int      ver[CARDVERDIGITS] __initdata = {0, 0};	/* DSP Ver:
>  						   hi->ver[0] lo->ver[1] */
>  
>  #if defined(CONFIG_SC6600)
> @@ -957,7 +958,7 @@ static int __init aedsp16_dsp_version(int port)
>  	 * string is finished.
>  	 */
>  		ver[len++] = ret;
> -	  } while (len < CARDVERLEN);
> +	  } while (len < CARDVERDIGITS);
>  	sprintf(DSPVersion, "%d.%d", ver[0], ver[1]);
>  
>  	DBG(("success.\n"));
> _______________________________________________
> Alsa-devel mailing list
> Alsa-devel@alsa-project.org
> http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
>