Date: Mon, 21 Jun 2010 17:09:03 +0200
Message-ID: <s5hwrts2zjk.wl%tiwai@suse.de>
From: Takashi Iwai <tiwai@suse.de>
To: Daniel Mack <daniel@caiaq.de>
Cc: Jiri Slaby <jslaby@suse.cz>, alsa-devel@alsa-project.org,
       linux-kernel@vger.kernel.org, jirislaby@gmail.com,
       Clemens Ladisch <clemens@ladisch.de>
Subject: Re: [PATCH] SOUND: usb/endpoint, fix dangling pointer use
In-Reply-To: <20100621150515.GB17833@buzzloop.caiaq.de>
References: <1277132601-14375-1-git-send-email-jslaby@suse.cz>
	<20100621150515.GB17833@buzzloop.caiaq.de>
User-Agent: Wanderlust/2.15.6 (Almost Unreal) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.7 Emacs/23.1
 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 977
Lines: 29

At Mon, 21 Jun 2010 17:05:16 +0200,
Daniel Mack wrote:
> 
> On Mon, Jun 21, 2010 at 05:03:21PM +0200, Jiri Slaby wrote:
> > Stanse found that in snd_usb_parse_audio_endpoints, there is a
> > dangling pointer dereference. When snd_usb_parse_audio_format fails,
> > fp is freed, and continue invoked. On the next loop, there is
> > "fp && fp->altsetting == 1 && fp->channels == 1" test, but fp is set
> > from the last iteration (but is bogus) and thus ilegally dereferenced.
> > 
> > Set fp to NULL before "continue".
> 
> Oh, absolutely. Thanks.
> 
> > Signed-off-by: Jiri Slaby <jslaby@suse.cz>
> 
> Acked-by: Daniel Mack <daniel@caiaq.de>
> 
> I think this should go thru the ALSA tree.

Yep, I applied it now.  Thanks!


Takashi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/