ALSA: asihpi - off by one in asihpi_hpi_ioctl()
Dan Carpenter [Wed, 27 Jul 2011 12:02:26 +0000 (15:02 +0300)]
"adapter" is used as an array index in the adapters[] array so
the off by one would make us read past the end.

1c073b67979 "ALSA: asihpi - Remove spurious adapter index check"
reverted Dan Rosenberg's check that would have prevented the
overflow here.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

sound/pci/asihpi/hpioctl.c

index e0cff0c..9683f84 100644 (file)
@@ -183,7 +183,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                u32 adapter = hm->h.adapter_index;
                struct hpi_adapter *pa = &adapters[adapter];
 
-               if ((adapter > HPI_MAX_ADAPTERS) || (!pa->type)) {
+               if ((adapter >= HPI_MAX_ADAPTERS) || (!pa->type)) {
                        hpi_init_response(&hr->r0, HPI_OBJ_ADAPTER,
                                HPI_ADAPTER_OPEN,
                                HPI_ERROR_BAD_ADAPTER_NUMBER);