sound: ensure device number is valid in snd_seq_oss_synth_make_info

commit 82e68f7ffec3800425f2391c8c86277606860442 upstream snd_seq_oss_synth_make_info() incorrectly reports information to userspace without first checking for the validity of the device number, leading to possible information leak (CVE-2008-3272). Reported-By: Tobias Klein <tk@trapkit.de> Acked-and-tested-by: Takashi Iwai <tiwai@suse.de> Cc: stable@kernel.org Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Willy Tarreau <w@1wt.eu> 2008-08-05 00:20:03 +0000
committer: Greg Kroah-Hartman <gregkh@suse.de> 2008-08-06 10:11:09 -0700
commit: 23ab7b6315ea278273194c1fe6bd2ae60f59edba (patch)
tree: dde475f09f6591e3fc2c1b0f2e297218a7df670e
parent: bd54faa88024e78ed62a675e39a0d59c46946546 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c
index ab570a0a6183..2490259472a2 100644
--- a/sound/core/seq/oss/seq_oss_synth.c
+++ b/sound/core/seq/oss/seq_oss_synth.c
@@ -599,6 +599,9 @@ snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_in
 {
 	struct seq_oss_synth *rec;
 
+	if (dev < 0 || dev >= dp->max_synthdev)
+		return -ENXIO;
+
 	if (dp->synths[dev].is_midi) {
 		struct midi_info minf;
 		snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf);
author	Willy Tarreau <w@1wt.eu>	2008-08-05 00:20:03 +0000
committer	Greg Kroah-Hartman <gregkh@suse.de>	2008-08-06 10:11:09 -0700
commit	23ab7b6315ea278273194c1fe6bd2ae60f59edba (patch)
tree	dde475f09f6591e3fc2c1b0f2e297218a7df670e
parent	bd54faa88024e78ed62a675e39a0d59c46946546 (diff)