And another one... 
 
Date: Wed, 03 Mar 2004 00:47:24 +0000 
From: Alan Cox <alan@lxorguk.ukuu.org.uk> 
To: vendor-sec@lst.de 
Subject: [vendor-sec] [Fwd: Kernel 2.4.25 : Bug in Sound Blaster code, DoS 
very easily done. (fwd)] 
 
Forwarding unreviewed. 
 
-----Forwarded Message----- 
> From: Marcelo Tosatti <marcelo.tosatti@cyclades.com> 
> To: akpm@osdl.org 
> Cc: alan@lxorguk.ukuu.org.uk 
> Subject: Kernel 2.4.25 : Bug in Sound Blaster code, DoS very easily done. 
(fwd) 
> Date: Tue, 02 Mar 2004 17:47:50 -0300 
> 
> 
> FYI 
> 
> ---------- Forwarded message ---------- 
> Date: Tue, 2 Mar 2004 00:33:18 +0100 
> From: Andreas Kies <andikies@t-online.de> 
> To: marcelo.tosatti@cyclades.com 
> Subject: Kernel 2.4.25 : Bug in Sound Blaster code, DoS very easily done. 
> 
> Hi Marcelo, 
> 
> The old OSS code contains a dangerous bug in the Sound Blaster 16 code part. 
> It is possible for every user that has access to the sound system to crash 
> the machine. 
> The reason for this is improperly handled 16 bit sample size. If you use an 
> odd number of bytes in 16 bit mode your machine will lock up. 
> The lockup is caused by the fact that only an even number of bytes are 
> processed, so the last byte is processed in an endless loop. 
> 
> Here is a patch that will fix the problem : 
> 
> --- drivers/sound/sb_audio.c.old     Wed Mar  6 18:23:49 2002 
> +++ drivers/sound/sb_audio.c Sun Feb 29 16:28:18 2004 
> @@ -879,7 +879,7 @@ 
>      c -= locallen; p += locallen; 
>      } 
>      /* used = ( samples * 16 bits size ) */ 
> -    *used = len << 1; 
> +    *used =  max_in  > ( max_out << 1) ? (max_out << 1) : max_in; 
>      /* returned = ( samples * 8 bits size ) */ 
>      *returned = len; 
>      } 
> 
> Please include this simple but helpful fix in the next 2.4.26-pre version. 
> Could you please inform Andrew, because the same bug is in 2.6 ? 
> Please ask me if you have any problems with this change. 
> 
> Many thanks. 
> 
> Andreas