Commit f44f7f96a20af16f6f12e1c995576d6becf5f57b ('RTC: Initialize
kernel state from RTC') introduced a potential infinite loop. If an
alarm time contains a wildcard month and an invalid day (> 31), or a
wildcard year and an invalid month (>= 12), the loop searching for the
next matching date will never terminate. Treat the invalid values as
wildcards.

Reported-by: leo weppelman <leoweppelman@googlemail.com>
Reported-by: "P. van Gaans" <mailme667@yahoo.co.uk>
References: http://bugs.debian.org/646429
References: http://bugs.debian.org/653331
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: stable@vger.kernel.org
---
I'm not sure whether the out-of-range values should be sanitised
earlier. The rtc-cmos driver certainly does not do this.

Ben.

drivers/rtc/interface.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c
index 3d9d2b9..f79ff34 100644
--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -227,11 +227,11 @@ int __rtc_read_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm)
alarm->time.tm_hour = now.tm_hour;

/* For simplicity, only support date rollover for now */
- if (alarm->time.tm_mday == -1) {
+ if (alarm->time.tm_mday < 1 || alarm->time.tm_mday > 31) {
alarm->time.tm_mday = now.tm_mday;
missing = day;
}
- if (alarm->time.tm_mon == -1) {
+ if ((unsigned)alarm->time.tm_mon >= 12) {
alarm->time.tm_mon = now.tm_mon;
if (missing == none)
missing = month;
--
1.7.7.3





--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1325173316.13595.25.camel@deadeye">http://lists.debian.org/1325173316.13595.25.camel@deadeye