]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commitdiff
projects / mirror_ubuntu-artful-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5ee0a41)
ALSA: usb-audio: Add sanity checks to FE parser
authorTakashi Iwai <tiwai@suse.de>
Tue, 21 Nov 2017 15:55:51 +0000 (16:55 +0100)
committerKleber Sacilotto de Souza <kleber.souza@canonical.com>
Tue, 13 Mar 2018 10:25:47 +0000 (11:25 +0100)
BugLink: http://bugs.launchpad.net/bugs/1744873
commit d937cd6790a2bef2d07b500487646bd794c039bb upstream.

When the usb-audio descriptor contains the malformed feature unit
description with a too short length, the driver may access
out-of-bounds.  Add a sanity check of the header size at the beginning
of parse_audio_feature_unit().

Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
sound/usb/mixer.c patch | blob | blame | history

diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index a23efc8671d65ed226368f8a27d988a6ec536dad..7008e74f823574485ab99269ef0b91651ba3324e 100644 (file)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1397,6 +1397,12 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid,
        __u8 *bmaControls;
 
        if (state->mixer->protocol == UAC_VERSION_1) {
+               if (hdr->bLength < 7) {
+                       usb_audio_err(state->chip,
+                                     "unit %u: invalid UAC_FEATURE_UNIT descriptor\n",
+                                     unitid);
+                       return -EINVAL;
+               }
                csize = hdr->bControlSize;
                if (!csize) {
                        usb_audio_dbg(state->chip,
@@ -1414,6 +1420,12 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid,
                }
        } else {
                struct uac2_feature_unit_descriptor *ftr = _ftr;
+               if (hdr->bLength < 6) {
+                       usb_audio_err(state->chip,
+                                     "unit %u: invalid UAC_FEATURE_UNIT descriptor\n",
+                                     unitid);
+                       return -EINVAL;
+               }
                csize = 4;
                channels = (hdr->bLength - 6) / 4 - 1;
                bmaControls = ftr->bmaControls;
Ubuntu Artful kernel mirror