From: Antonio Ospite <ao2@ao2.it>
To: alsa-devel@alsa-project.org
Cc: Takashi Iwai <tiwai@suse.de>, Antonio Ospite <ao2@ao2.it>
Subject: [alsa-lib][PATCH] ucm: fix crash when calling snd_use_case_geti() with no device or modifier
Date: Fri, 23 Sep 2016 18:11:16 +0200 [thread overview]
Message-ID: <20160923161116.26359-1-ao2@ao2.it> (raw)
When calling snd_use_case_geti(uc_mgr, "_devstatus", &lvalue) the code
ends up calling device_status(uc_mgr, NULL), which result in a crash in
strcmp(dev->name, NULL), when there are enabled devices.
This happens because snd_use_case_geti() allows a "_devstatus"
identifier even if it's only supposed to allow the form
"_devstatus/{device}".
So check that the device name is not null.
The same issue occurs with "_modstatus", this change fixes that as well.
Signed-off-by: Antonio Ospite <ao2@ao2.it>
---
Hi,
the bug can be reproduced with a command like this:
# alsaucm -n -b - <<EOM
open bytcr-rt5640
reset
set _verb HiFi
set _device Speaker
geti _devstatus
EOM
Segmentation fault
I decided to add the check once per command instead of doing this:
@@ -1525,7 +1525,8 @@ int snd_use_case_geti(snd_use_case_mgr_t *uc_mgr,
goto __end;
}
} else {
- str = NULL;
+ err = -EINVAL;
+ goto __end;
}
because the function body seems to be prepared to accept other forms of
identifiers, possibly even without a "prefix/suffix" structure.
Ciao ciao,
Antonio
P.S. the source code in src/ucm has a mixed indentation style of TABs and
spaces, would you accept a patch to uniform the style?
src/ucm/main.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/ucm/main.c b/src/ucm/main.c
index 24d9510..d5e418e 100644
--- a/src/ucm/main.c
+++ b/src/ucm/main.c
@@ -1528,12 +1528,20 @@ int snd_use_case_geti(snd_use_case_mgr_t *uc_mgr,
str = NULL;
}
if (check_identifier(identifier, "_devstatus")) {
+ if(!str) {
+ err = -EINVAL;
+ goto __end;
+ }
err = device_status(uc_mgr, str);
if (err >= 0) {
*value = err;
err = 0;
}
} else if (check_identifier(identifier, "_modstatus")) {
+ if(!str) {
+ err = -EINVAL;
+ goto __end;
+ }
err = modifier_status(uc_mgr, str);
if (err >= 0) {
*value = err;
--
2.9.3
next reply other threads:[~2016-09-23 16:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-23 16:11 Antonio Ospite [this message]
2016-09-29 7:57 ` [alsa-lib][PATCH] ucm: fix crash when calling snd_use_case_geti() with no device or modifier Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160923161116.26359-1-ao2@ao2.it \
--to=ao2@ao2.it \
--cc=alsa-devel@alsa-project.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.