diff options
| author | Cássio Gabriel <cassiogabrielcontato@gmail.com> | 2026-04-25 00:50:10 +0300 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2026-04-27 14:51:07 +0300 |
| commit | 26265dd69da32d88a88d21987853cec899d9e21f (patch) | |
| tree | 6935ae0c2a062520707ea30081b51237cf612600 | |
| parent | e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff (diff) | |
| download | linux-26265dd69da32d88a88d21987853cec899d9e21f.tar.xz | |
ALSA: usb-audio: Fix UAC3 cluster descriptor size check
The UAC3 cluster descriptor length check in
snd_usb_get_audioformat_uac3()was added to
make sure that the buffer is large enough for
a struct uac3_cluster_header_descriptor before the
returned data is cast and used.
However, the check uses sizeof(cluster), where cluster
is a pointer, not the size of the descriptor header.
This makes the validation depend on the architecture
pointer size and does not match the intended object size.
Check against sizeof(*cluster) instead.
Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260424-alsa-usb-uac3-cluster-size-v1-1-99a5808898a3@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
| -rw-r--r-- | sound/usb/stream.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sound/usb/stream.c b/sound/usb/stream.c index 2532bf97e05e..6c51226f771b 100644 --- a/sound/usb/stream.c +++ b/sound/usb/stream.c @@ -1003,7 +1003,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip, * and request Cluster Descriptor */ wLength = le16_to_cpu(hc_header.wLength); - if (wLength < sizeof(cluster)) + if (wLength < sizeof(*cluster)) return NULL; cluster = kzalloc(wLength, GFP_KERNEL); if (!cluster) |