Commit 3532750d authored by Takashi Iwai's avatar Takashi Iwai Committed by Greg Kroah-Hartman

ALSA: usb-audio: Add sanity checks in v2 clock parsers

commit 0a62d6c9 upstream.

The helper functions to parse and look for the clock source, selector
and multiplier unit may return the descriptor with a too short length
than required, while there is no sanity check in the caller side.
Add some sanity checks in the parsers, at least, to guarantee the
given descriptor size, for avoiding the potential crashes.

Fixes: 79f920fb ("ALSA: usb-audio: parse clock topology of UAC2 devices")
Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 0b6cede2
...@@ -43,7 +43,7 @@ static struct uac_clock_source_descriptor * ...@@ -43,7 +43,7 @@ static struct uac_clock_source_descriptor *
while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
ctrl_iface->extralen, ctrl_iface->extralen,
cs, UAC2_CLOCK_SOURCE))) { cs, UAC2_CLOCK_SOURCE))) {
if (cs->bClockID == clock_id) if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
return cs; return cs;
} }
...@@ -59,8 +59,11 @@ static struct uac_clock_selector_descriptor * ...@@ -59,8 +59,11 @@ static struct uac_clock_selector_descriptor *
while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
ctrl_iface->extralen, ctrl_iface->extralen,
cs, UAC2_CLOCK_SELECTOR))) { cs, UAC2_CLOCK_SELECTOR))) {
if (cs->bClockID == clock_id) if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) {
if (cs->bLength < 5 + cs->bNrInPins)
return NULL;
return cs; return cs;
}
} }
return NULL; return NULL;
...@@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descriptor * ...@@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descriptor *
while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
ctrl_iface->extralen, ctrl_iface->extralen,
cs, UAC2_CLOCK_MULTIPLIER))) { cs, UAC2_CLOCK_MULTIPLIER))) {
if (cs->bClockID == clock_id) if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
return cs; return cs;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment