diff options
author | Takashi Iwai <tiwai@suse.de> | 2018-12-19 14:36:27 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-01-13 12:01:05 +0300 |
commit | 1117b7a380f4b4f575d90a318a43d2e168c01fbd (patch) | |
tree | 0e4f49b7bcacdf9ec7eae593f96486bdb10688af /sound | |
parent | 89c7ba90185dc9af684a17027300899e189039cd (diff) | |
download | linux-1117b7a380f4b4f575d90a318a43d2e168c01fbd.tar.xz |
ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
commit f4351a199cc120ff9d59e06d02e8657d08e6cc46 upstream.
The parser for the processing unit reads bNrInPins field before the
bLength sanity check, which may lead to an out-of-bound access when a
malformed descriptor is given. Fix it by assignment after the bLength
check.
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'sound')
-rw-r--r-- | sound/usb/mixer.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index 4d950b7c2f97..b3be0d432a75 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -1888,7 +1888,7 @@ static int build_audio_procunit(struct mixer_build *state, int unitid, char *name) { struct uac_processing_unit_descriptor *desc = raw_desc; - int num_ins = desc->bNrInPins; + int num_ins; struct usb_mixer_elem_info *cval; struct snd_kcontrol *kctl; int i, err, nameid, type, len; @@ -1903,7 +1903,13 @@ static int build_audio_procunit(struct mixer_build *state, int unitid, 0, NULL, default_value_info }; - if (desc->bLength < 13 || desc->bLength < 13 + num_ins || + if (desc->bLength < 13) { + usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid); + return -EINVAL; + } + + num_ins = desc->bNrInPins; + if (desc->bLength < 13 + num_ins || desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) { usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid); return -EINVAL; |