Skip to content

Commit ac902c1

Browse files
larsclausentiwai
authored andcommitted
ALSA: control: Handle numid overflow
Each control gets automatically assigned its numids when the control is created. The allocation is done by incrementing the numid by the amount of allocated numids per allocation. This means that excessive creation and destruction of controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to eventually overflow. Currently when this happens for the control that caused the overflow kctl->id.numid + kctl->count will also over flow causing it to be smaller than kctl->id.numid. Most of the code assumes that this is something that can not happen, so we need to make sure that it won't happen Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Acked-by: Jaroslav Kysela <perex@perex.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
1 parent fd9f26e commit ac902c1

File tree

1 file changed

+4
-0
lines changed

1 file changed

+4
-0
lines changed

Diff for: sound/core/control.c

+4
Original file line numberDiff line numberDiff line change
@@ -288,6 +288,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card,
288288
{
289289
struct snd_kcontrol *kctl;
290290

291+
/* Make sure that the ids assigned to the control do not wrap around */
292+
if (card->last_numid >= UINT_MAX - count)
293+
card->last_numid = 0;
294+
291295
list_for_each_entry(kctl, &card->controls, list) {
292296
if (kctl->id.numid < card->last_numid + 1 + count &&
293297
kctl->id.numid + kctl->count > card->last_numid + 1) {

0 commit comments

Comments
 (0)