ALSA: firewire-motu: add bounds check in put_user loop for DSP events

In the DSP event handling code, a put_user() loop copies event data.
When the user buffer size is not aligned to 4 bytes, it could overwrite
beyond the buffer boundary.

Fix by adding a bounds check before put_user().

Suggested-by: Takashi Iwai <tiwai@suse.de>
Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB788112C72AF8A1C8C448B4B8AFA3A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c
index 6675b23aad69ef91cbc0b5bc5f8b9cd4aefa50a6..89dc436a065299f1152733ac4b61c24aec4ca5be 100644 (file)
--- a/sound/firewire/motu/motu-hwdep.c
+++ b/sound/firewire/motu/motu-hwdep.c
@@ -75,7 +75,7 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count,
                while (consumed < count &&
                       snd_motu_register_dsp_message_parser_copy_event(motu, &ev)) {
                        ptr = (u32 __user *)(buf + consumed);
-                       if (put_user(ev, ptr))
+                       if (consumed + sizeof(ev) > count || put_user(ev, ptr))
                                return -EFAULT;
                        consumed += sizeof(ev);
                }