ALSA: mixart: Add sanity check for timer notify streams
authorTakashi Iwai <tiwai@suse.de>
Tue, 7 Dec 2021 15:33:23 +0000 (16:33 +0100)
committerTakashi Iwai <tiwai@suse.de>
Tue, 7 Dec 2021 15:35:58 +0000 (16:35 +0100)
The miXart timer notification is a variable length, and if a hardware
is screwed up, we may access over the actual data size.  Let's add a
sanity check and bail out if an invalid value is received.

Link: https://lore.kernel.org/r/20211207153323.27098-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
sound/pci/mixart/mixart_core.c

index 853083d..a047ed0 100644 (file)
@@ -443,6 +443,8 @@ irqreturn_t snd_mixart_threaded_irq(int irq, void *dev_id)
                                notify = (struct mixart_timer_notify *)mixart_msg_data;
 
                                BUILD_BUG_ON(sizeof(notify) > sizeof(mixart_msg_data));
+                               if (snd_BUG_ON(notify->stream_count > ARRAY_SIZE(notify->streams)))
+                                       break;
                                for(i=0; i<notify->stream_count; i++) {
 
                                        u32 buffer_id = notify->streams[i].buffer_id;