kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   39c47496880d5a5103b8256b2a52ddc73d06414f
  2.   patches.suse
  3.   ALSA-line6-fix-stack-overflow-in-line6_midi_transmit.patch
Blob Blame History Raw 
From b8800d324abb50160560c636bfafe2c81001b66c Mon Sep 17 00:00:00 2001
From: Artem Egorkine <arteme@gmail.com>
Date: Sun, 25 Dec 2022 12:57:28 +0200
Subject: [PATCH] ALSA: line6: fix stack overflow in line6_midi_transmit
Git-commit: b8800d324abb50160560c636bfafe2c81001b66c
Patch-mainline: v6.2-rc2
References: git-fixes

Correctly calculate available space including the size of the chunk
buffer. This fixes a buffer overflow when multiple MIDI sysex
messages are sent to a PODxt device.

Signed-off-by: Artem Egorkine <arteme@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221225105728.1153989-2-arteme@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

---
 sound/usb/line6/midi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/usb/line6/midi.c b/sound/usb/line6/midi.c
index d52355de2bbc..0838632c788e 100644
--- a/sound/usb/line6/midi.c
+++ b/sound/usb/line6/midi.c
@@ -44,7 +44,8 @@ static void line6_midi_transmit(struct snd_rawmidi_substream *substream)
 	int req, done;
 
 	for (;;) {
-		req = min(line6_midibuf_bytes_free(mb), line6->max_packet_size);
+		req = min3(line6_midibuf_bytes_free(mb), line6->max_packet_size,
+			   LINE6_FALLBACK_MAXPACKETSIZE);
 		done = snd_rawmidi_transmit_peek(substream, chunk, req);
 
 		if (done == 0)
-- 
2.35.3
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.