| From f658f17b5e0e339935dca23e77e0f3cad591926b Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Tue, 21 Nov 2017 17:00:32 +0100 |
| Subject: ALSA: usb-audio: Fix potential out-of-bound access at parsing SU |
| |
| From: Takashi Iwai <tiwai@suse.de> |
| |
| commit f658f17b5e0e339935dca23e77e0f3cad591926b upstream. |
| |
| The usb-audio driver may trigger an out-of-bound access at parsing a |
| malformed selector unit, as it checks the header length only after |
| evaluating bNrInPins field, which can be already above the given |
| length. Fix it by adding the length check beforehand. |
| |
| Fixes: 99fc86450c43 ("ALSA: usb-mixer: parse descriptors with structs") |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/usb/mixer.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/sound/usb/mixer.c |
| +++ b/sound/usb/mixer.c |
| @@ -2018,7 +2018,8 @@ static int parse_audio_selector_unit(str |
| const struct usbmix_name_map *map; |
| char **namelist; |
| |
| - if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) { |
| + if (desc->bLength < 5 || !desc->bNrInPins || |
| + desc->bLength < 5 + desc->bNrInPins) { |
| usb_audio_err(state->chip, |
| "invalid SELECTOR UNIT descriptor %d\n", unitid); |
| return -EINVAL; |