sound: ensure device number is valid in snd_seq_oss_synth_make_info

commit 82e68f7ffec3800425f2391c8c86277606860442 upstream

snd_seq_oss_synth_make_info() incorrectly reports information
to userspace without first checking for the validity of the
device number, leading to possible information leak (CVE-2008-3272).

Reported-By: Tobias Klein <tk@trapkit.de>
Acked-and-tested-by: Takashi Iwai <tiwai@suse.de>
Cc: stable@kernel.org
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c
index 558dadbf45f12e39387573ca5566b8d31b5be562..e024e4588b829280b8871420c7d32a616352e7ef 100644 (file)
--- a/sound/core/seq/oss/seq_oss_synth.c
+++ b/sound/core/seq/oss/seq_oss_synth.c
@@ -604,6 +604,9 @@ snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_in
 {
        struct seq_oss_synth *rec;
 
+       if (dev < 0 || dev >= dp->max_synthdev)
+               return -ENXIO;
+
        if (dp->synths[dev].is_midi) {
                struct midi_info minf;
                snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf);