Commit 91e02557 authored by Takashi Iwai's avatar Takashi Iwai

ALSA: usb-audio: Fix potential out-of-bounce access in MIDI EP parser

The recently introduced MIDI endpoint parser code has an access to the
field without the size validation, hence it might lead to
out-of-bounce access.  Add the sanity checks for the descriptor
sizes.

Fixes: eb596e0f ("ALSA: usb-audio: generate midi streaming substream names from jack names")
Link: https://lore.kernel.org/r/20210511090500.2637-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent e84749a7
...@@ -1750,7 +1750,7 @@ static struct usb_midi_in_jack_descriptor *find_usb_in_jack_descriptor( ...@@ -1750,7 +1750,7 @@ static struct usb_midi_in_jack_descriptor *find_usb_in_jack_descriptor(
struct usb_midi_in_jack_descriptor *injd = struct usb_midi_in_jack_descriptor *injd =
(struct usb_midi_in_jack_descriptor *)extra; (struct usb_midi_in_jack_descriptor *)extra;
if (injd->bLength > 4 && if (injd->bLength >= sizeof(*injd) &&
injd->bDescriptorType == USB_DT_CS_INTERFACE && injd->bDescriptorType == USB_DT_CS_INTERFACE &&
injd->bDescriptorSubtype == UAC_MIDI_IN_JACK && injd->bDescriptorSubtype == UAC_MIDI_IN_JACK &&
injd->bJackID == jack_id) injd->bJackID == jack_id)
...@@ -1773,7 +1773,7 @@ static struct usb_midi_out_jack_descriptor *find_usb_out_jack_descriptor( ...@@ -1773,7 +1773,7 @@ static struct usb_midi_out_jack_descriptor *find_usb_out_jack_descriptor(
struct usb_midi_out_jack_descriptor *outjd = struct usb_midi_out_jack_descriptor *outjd =
(struct usb_midi_out_jack_descriptor *)extra; (struct usb_midi_out_jack_descriptor *)extra;
if (outjd->bLength > 4 && if (outjd->bLength >= sizeof(*outjd) &&
outjd->bDescriptorType == USB_DT_CS_INTERFACE && outjd->bDescriptorType == USB_DT_CS_INTERFACE &&
outjd->bDescriptorSubtype == UAC_MIDI_OUT_JACK && outjd->bDescriptorSubtype == UAC_MIDI_OUT_JACK &&
outjd->bJackID == jack_id) outjd->bJackID == jack_id)
...@@ -1820,6 +1820,7 @@ static void snd_usbmidi_init_substream(struct snd_usb_midi *umidi, ...@@ -1820,6 +1820,7 @@ static void snd_usbmidi_init_substream(struct snd_usb_midi *umidi,
outjd = find_usb_out_jack_descriptor(hostif, jack_id); outjd = find_usb_out_jack_descriptor(hostif, jack_id);
if (outjd) { if (outjd) {
sz = USB_DT_MIDI_OUT_SIZE(outjd->bNrInputPins); sz = USB_DT_MIDI_OUT_SIZE(outjd->bNrInputPins);
if (outjd->bLength >= sz)
iJack = *(((uint8_t *) outjd) + sz - sizeof(uint8_t)); iJack = *(((uint8_t *) outjd) + sz - sizeof(uint8_t));
} }
} else { } else {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment