ASoC: ab8500-codec: info leak in anc_status_control_put()

commit d63733ae upstream. If the user passes an invalid value it leads to an info leak when we print the error message or it could oops. This is called with user supplied data from snd_ctl_elem_write(). Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mark Brown <broonie@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ASoC: ab8500-codec: info leak in anc_status_control_put()
commit d63733ae upstream. If the user passes an invalid value it leads to an info leak when we print the error message or it could oops. This is called with user supplied data from snd_ctl_elem_write(). Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mark Brown <broonie@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7a7e86e4 · Dan Carpenter · Greg Kroah-Hartman · 7fe5daa3 · 7a7e86e4
Commit 7a7e86e4 authored Sep 13, 2013 by Dan Carpenter Committed by Greg Kroah-Hartman Oct 13, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

sound/soc/codecs/ab8500-codec.c sound/soc/codecs/ab8500-codec.c +6 -1

No files found.
--- a/sound/soc/codecs/ab8500-codec.c
+++ b/sound/soc/codecs/ab8500-codec.c
@@ -1225,13 +1225,18 @@ static int anc_status_control_put(struct snd_kcontrol *kcontrol,
 	struct ab8500_codec_drvdata *drvdata = dev_get_drvdata(codec->dev);
 	struct device *dev = codec->dev;
 	bool apply_fir, apply_iir;
-	int req, status;
+	unsigned int req;
+	int status;

 	dev_dbg(dev, "%s: Enter.\n", __func__);

 	mutex_lock(&drvdata->anc_lock);

 	req = ucontrol->value.integer.value[0];
+	if (req >= ARRAY_SIZE(enum_anc_state)) {
+		status = -EINVAL;
+		goto cleanup;
+	}
 	if (req != ANC_APPLY_FIR_IIR && req != ANC_APPLY_FIR &&
 		req != ANC_APPLY_IIR) {
 		dev_err(dev, "%s: ERROR: Unsupported status to set '%s'!\n",