sound: ensure device number is valid in snd_seq_oss_synth_make_info

commit 82e68f7ffec3800425f2391c8c86277606860442 upstream snd_seq_oss_synth_make_info() incorrectly reports information to userspace without first checking for the validity of the device number, leading to possible information leak (CVE-2008-3272). Reported-By: Tobias Klein <tk@trapkit.de> Acked-and-tested-by: Takashi Iwai <tiwai@suse.de> Cc: stable@kernel.org Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Willy Tarreau <w@1wt.eu> 2008-08-05 00:20:03 +0000
committer: Greg Kroah-Hartman <gregkh@suse.de> 2008-08-06 09:03:27 -0700
commit: ee3b94e26df9e2903add812f7f43cdcdc2ed5288 (patch)
tree: f471243d3db392fdbab6fb79e83bc593b0d470b7
parent: 8256c73d4fab8b3b019b7a21974252854d6deb68 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c
index 558dadbf45f1..e024e4588b82 100644
--- a/sound/core/seq/oss/seq_oss_synth.c
+++ b/sound/core/seq/oss/seq_oss_synth.c
@@ -604,6 +604,9 @@ snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_in
 {
 	struct seq_oss_synth *rec;
 
+	if (dev < 0 || dev >= dp->max_synthdev)
+		return -ENXIO;
+
 	if (dp->synths[dev].is_midi) {
 		struct midi_info minf;
 		snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf);
author	Willy Tarreau <w@1wt.eu>	2008-08-05 00:20:03 +0000
committer	Greg Kroah-Hartman <gregkh@suse.de>	2008-08-06 09:03:27 -0700
commit	ee3b94e26df9e2903add812f7f43cdcdc2ed5288 (patch)
tree	f471243d3db392fdbab6fb79e83bc593b0d470b7
parent	8256c73d4fab8b3b019b7a21974252854d6deb68 (diff)