Commit 3d2a19f8 authored by Takashi Iwai's avatar Takashi Iwai Committed by Greg Kroah-Hartman

ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()

commit f4351a19 upstream.

The parser for the processing unit reads bNrInPins field before the
bLength sanity check, which may lead to an out-of-bound access when a
malformed descriptor is given.  Fix it by assignment after the bLength
check.

Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent e189fc04
...@@ -2314,7 +2314,7 @@ static int build_audio_procunit(struct mixer_build *state, int unitid, ...@@ -2314,7 +2314,7 @@ static int build_audio_procunit(struct mixer_build *state, int unitid,
char *name) char *name)
{ {
struct uac_processing_unit_descriptor *desc = raw_desc; struct uac_processing_unit_descriptor *desc = raw_desc;
int num_ins = desc->bNrInPins; int num_ins;
struct usb_mixer_elem_info *cval; struct usb_mixer_elem_info *cval;
struct snd_kcontrol *kctl; struct snd_kcontrol *kctl;
int i, err, nameid, type, len; int i, err, nameid, type, len;
...@@ -2329,7 +2329,13 @@ static int build_audio_procunit(struct mixer_build *state, int unitid, ...@@ -2329,7 +2329,13 @@ static int build_audio_procunit(struct mixer_build *state, int unitid,
0, NULL, default_value_info 0, NULL, default_value_info
}; };
if (desc->bLength < 13 || desc->bLength < 13 + num_ins || if (desc->bLength < 13) {
usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
return -EINVAL;
}
num_ins = desc->bNrInPins;
if (desc->bLength < 13 + num_ins ||
desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) { desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) {
usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid); usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
return -EINVAL; return -EINVAL;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment