LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* something odd in emu10k1/emufx
@ 2008-01-19 2:16 Al Viro
2008-01-19 9:36 ` Takashi Iwai
0 siblings, 1 reply; 2+ messages in thread
From: Al Viro @ 2008-01-19 2:16 UTC (permalink / raw)
To: tiwai; +Cc: linux-kernel
In copy_tlv() we have
tlv = kmalloc(data[1] * 4 + sizeof(data), GFP_KERNEL);
if (!tlv)
return NULL;
memcpy(tlv, data, sizeof(data));
if (copy_from_user(tlv + 2, _tlv + 2, data[1])) {
kfree(tlv);
return NULL;
}
which looks rather odd, since either we kmalloc too much or copy too little...
Comments?
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: something odd in emu10k1/emufx
2008-01-19 2:16 something odd in emu10k1/emufx Al Viro
@ 2008-01-19 9:36 ` Takashi Iwai
0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2008-01-19 9:36 UTC (permalink / raw)
To: Al Viro; +Cc: linux-kernel
At Sat, 19 Jan 2008 02:16:14 +0000,
Al Viro wrote:
>
> In copy_tlv() we have
> tlv = kmalloc(data[1] * 4 + sizeof(data), GFP_KERNEL);
> if (!tlv)
> return NULL;
> memcpy(tlv, data, sizeof(data));
> if (copy_from_user(tlv + 2, _tlv + 2, data[1])) {
> kfree(tlv);
> return NULL;
> }
> which looks rather odd, since either we kmalloc too much or copy too little...
> Comments?
It's the former case. The total length should be data[1] +
sizeof(data). I fixed on ALSA tree now.
Thanks,
Takashi
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-01-19 9:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-01-19 2:16 something odd in emu10k1/emufx Al Viro
2008-01-19 9:36 ` Takashi Iwai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).