From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
To: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: tiwai@suse.de, alsa-devel@alsa-project.org, clemens@ladisch.de,
ffado-devel@lists.sf.net
Subject: Re: [PATCH 5/5] ALSA: firewire-tascam: change device probing processing
Date: Tue, 13 Oct 2015 23:12:55 +0900 [thread overview]
Message-ID: <561D1167.3030305@sakamocchi.jp> (raw)
In-Reply-To: <20151012144255.2c10e939@kant>
On Oct 12 2015 21:42, Stefan Richter wrote:
>> -static int check_name(struct snd_tscm *tscm)
>> +static int identify_model(struct snd_tscm *tscm)
>> {
>> struct fw_device *fw_dev = fw_parent_device(tscm->unit);
>> - char vendor[8];
>> + const u32 *config_rom = fw_dev->config_rom;
>> char model[8];
>> - __u32 data;
>> -
>> - /* Retrieve model name. */
>> - data = be32_to_cpu(fw_dev->config_rom[28]);
>> - memcpy(model, &data, 4);
>> - data = be32_to_cpu(fw_dev->config_rom[29]);
>> - memcpy(model + 4, &data, 4);
>> - model[7] = '\0';
>> -
>> - /* Retrieve vendor name. */
>> - data = be32_to_cpu(fw_dev->config_rom[23]);
>> - memcpy(vendor, &data, 4);
>> - data = be32_to_cpu(fw_dev->config_rom[24]);
>> - memcpy(vendor + 4, &data, 4);
>> - vendor[7] = '\0';
>> + unsigned int i;
>> + u8 c;
>> +
>> + if (fw_dev->config_rom_length < 30) {
>> + dev_err(&tscm->unit->device,
>> + "Configuration ROM is too short.\n");
>> + return -ENODEV;
>> + }
>> +
>> + /* Pick up model name from certain addresses. */
>> + for (i = 0; i < 8; i++) {
>> + c = config_rom[28 + i / 4] >> (24 - 8 * (i % 4));
>> + if (c == '\0')
>> + break;
>> + model[i] = c;
>> + }
>> + model[i] = '\0';
>
> You could get a buffer overrun here. Perhaps only go to i < 7:
Indeed, thanks.
> for (i = 0; i < 7; i++) {
> [...]
> }
> model[i] = '\0';
>
>> + for (i = 0; i < ARRAY_SIZE(model_specs); i++) {
>> + if (strcmp(model, model_specs[i].name) == 0) {
>> + tscm->spec = &model_specs[i];
>> + break;
>> + }
>> + }
>> + if (tscm->spec == NULL)
>> + return -ENODEV;
>>
>> strcpy(tscm->card->driver, "FW-TASCAM");
>> strcpy(tscm->card->shortname, model);
>> strcpy(tscm->card->mixername, model);
>> snprintf(tscm->card->longname, sizeof(tscm->card->longname),
>> - "%s %s, GUID %08x%08x at %s, S%d", vendor, model,
>> + "TASCAM %s, GUID %08x%08x at %s, S%d", model,
>> cpu_to_be32(fw_dev->config_rom[3]),
>> cpu_to_be32(fw_dev->config_rom[4]),
>> dev_name(&tscm->unit->device), 100 << fw_dev->max_speed);
>
> Should be
> fw_dev->config_rom[3],
> fw_dev->config_rom[4],
>
> since snprintf wants CPU-endian values.
Firewire-digi00x also includes the same bug.
I found some endianness bug in the other modules. I'll fixed these bugs
in the same series of patches later.
Thanks
Takashi Sakamoto
next prev parent reply other threads:[~2015-10-13 14:12 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-12 10:10 [PATCH 0/5] ALSA: firewire-tascam: add MIDI functionality Takashi Sakamoto
2015-10-12 10:10 ` [PATCH 1/5] ALSA: firewire-tascam: add support for incoming MIDI messages by asynchronous transaction Takashi Sakamoto
2015-10-12 10:10 ` [PATCH 2/5] ALSA: firewire-tascam: add support for outgoing " Takashi Sakamoto
2015-10-12 10:10 ` [PATCH 3/5] ALSA: firewire-tascam: add support for MIDI functionality Takashi Sakamoto
2015-10-12 10:10 ` [PATCH 4/5] ALSA: firewire-tascam: Turn on/off FireWire LED Takashi Sakamoto
2015-10-12 10:10 ` [PATCH 5/5] ALSA: firewire-tascam: change device probing processing Takashi Sakamoto
2015-10-12 12:42 ` Stefan Richter
2015-10-13 14:12 ` Takashi Sakamoto [this message]
2015-10-12 12:21 ` [PATCH 0/5] ALSA: firewire-tascam: add MIDI functionality Takashi Iwai
2015-10-12 12:48 ` Stefan Richter
2015-10-12 22:20 ` Jonathan Woithe
2015-10-13 9:36 ` Takashi Sakamoto
2015-10-13 10:02 ` Jonathan Woithe
2015-10-13 22:20 ` Stefan Richter
2015-10-19 14:21 ` Takashi Sakamoto
2015-10-19 23:45 ` Jonathan Woithe
2015-10-13 14:15 ` Stefan Richter
2015-10-19 14:13 ` Takashi Sakamoto
2015-10-19 23:36 ` Jonathan Woithe
2015-10-20 0:50 ` Takashi Sakamoto
2015-10-20 2:09 ` Takashi Sakamoto
2015-10-20 2:57 ` Jonathan Woithe
2015-10-20 2:52 ` Jonathan Woithe
2015-10-20 7:39 ` Stefan Richter
2015-10-26 15:18 ` Takashi Sakamoto
2015-10-27 1:38 ` Stefan Richter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=561D1167.3030305@sakamocchi.jp \
--to=o-takashi@sakamocchi.jp \
--cc=alsa-devel@alsa-project.org \
--cc=clemens@ladisch.de \
--cc=ffado-devel@lists.sf.net \
--cc=stefanr@s5r6.in-berlin.de \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.