| From 0a62d6c966956d77397c32836a5bbfe3af786fc1 Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Tue, 21 Nov 2017 17:28:06 +0100 |
| Subject: ALSA: usb-audio: Add sanity checks in v2 clock parsers |
| |
| From: Takashi Iwai <tiwai@suse.de> |
| |
| commit 0a62d6c966956d77397c32836a5bbfe3af786fc1 upstream. |
| |
| The helper functions to parse and look for the clock source, selector |
| and multiplier unit may return the descriptor with a too short length |
| than required, while there is no sanity check in the caller side. |
| Add some sanity checks in the parsers, at least, to guarantee the |
| given descriptor size, for avoiding the potential crashes. |
| |
| Fixes: 79f920fbff56 ("ALSA: usb-audio: parse clock topology of UAC2 devices") |
| Reported-by: Andrey Konovalov <andreyknvl@google.com> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/usb/clock.c | 9 ++++++--- |
| 1 file changed, 6 insertions(+), 3 deletions(-) |
| |
| --- a/sound/usb/clock.c |
| +++ b/sound/usb/clock.c |
| @@ -43,7 +43,7 @@ static struct uac_clock_source_descripto |
| while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, |
| ctrl_iface->extralen, |
| cs, UAC2_CLOCK_SOURCE))) { |
| - if (cs->bClockID == clock_id) |
| + if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) |
| return cs; |
| } |
| |
| @@ -59,8 +59,11 @@ static struct uac_clock_selector_descrip |
| while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, |
| ctrl_iface->extralen, |
| cs, UAC2_CLOCK_SELECTOR))) { |
| - if (cs->bClockID == clock_id) |
| + if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) { |
| + if (cs->bLength < 5 + cs->bNrInPins) |
| + return NULL; |
| return cs; |
| + } |
| } |
| |
| return NULL; |
| @@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descr |
| while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, |
| ctrl_iface->extralen, |
| cs, UAC2_CLOCK_MULTIPLIER))) { |
| - if (cs->bClockID == clock_id) |
| + if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) |
| return cs; |
| } |
| |