Message ID | c224cbd5-d9e2-4cd4-9bcf-2138eb1d35c6@kili.mountain |
---|---|
State | Accepted |
Commit | c0e72058d5e21982e61a29de6b098f7c1f0db498 |
Headers | show |
Series | ALSA: firewire-digi00x: prevent potential use after free | expand |
Hi, On Fri, May 12, 2023 at 10:18:54AM +0200, Takashi Iwai wrote: > On Tue, 09 May 2023 11:07:11 +0200, > Dan Carpenter wrote: > > > > This code was supposed to return an error code if init_stream() > > failed, but it instead freed dg00x->rx_stream and returned success. > > This potentially leads to a use after free. > > > > Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain") > > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > > Thanks, applied now. I overlooked the patch. It looks good to me as well. Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Thanks Takashi Sakamoto
diff --git a/sound/firewire/digi00x/digi00x-stream.c b/sound/firewire/digi00x/digi00x-stream.c index a15f55b0dce3..295163bb8abb 100644 --- a/sound/firewire/digi00x/digi00x-stream.c +++ b/sound/firewire/digi00x/digi00x-stream.c @@ -259,8 +259,10 @@ int snd_dg00x_stream_init_duplex(struct snd_dg00x *dg00x) return err; err = init_stream(dg00x, &dg00x->tx_stream); - if (err < 0) + if (err < 0) { destroy_stream(dg00x, &dg00x->rx_stream); + return err; + } err = amdtp_domain_init(&dg00x->domain); if (err < 0) {
This code was supposed to return an error code if init_stream() failed, but it instead freed dg00x->rx_stream and returned success. This potentially leads to a use after free. Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- sound/firewire/digi00x/digi00x-stream.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)