From b580fbfff13b01fa79a0760cbb6386f33bc9e10b Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Tue, 3 Apr 2018 17:45:19 +0200
Subject: [PATCH] ALSA: usb-audio: Add sanity checks in UAC3 clock parsers
Git-commit: b580fbfff13b01fa79a0760cbb6386f33bc9e10b
Patch-mainline: v4.17-rc1
References: bsc#1121278
The UAC3 clock parser codes lack of the sanity checks for malformed
descriptors like UAC2 parser does. Without it, the driver may lead to
a potential crash.
Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
Tested-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Reviewed-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/usb/clock.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index 30cfd5b1bdfb..0b030d8fe3fa 100644
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -58,7 +58,7 @@ static bool validate_clock_source_v2(void *p, int id)
static bool validate_clock_source_v3(void *p, int id)
{
struct uac3_clock_source_descriptor *cs = p;
- return cs->bClockID == id;
+ return cs->bLength == sizeof(*cs) && cs->bClockID == id;
}
static bool validate_clock_selector_v2(void *p, int id)
@@ -71,7 +71,8 @@ static bool validate_clock_selector_v2(void *p, int id)
static bool validate_clock_selector_v3(void *p, int id)
{
struct uac3_clock_selector_descriptor *cs = p;
- return cs->bClockID == id;
+ return cs->bLength >= sizeof(*cs) && cs->bClockID == id &&
+ cs->bLength == 11 + cs->bNrInPins;
}
static bool validate_clock_multiplier_v2(void *p, int id)
@@ -83,7 +84,7 @@ static bool validate_clock_multiplier_v2(void *p, int id)
static bool validate_clock_multiplier_v3(void *p, int id)
{
struct uac3_clock_multiplier_descriptor *cs = p;
- return cs->bClockID == id;
+ return cs->bLength == sizeof(*cs) && cs->bClockID == id;
}
#define DEFINE_FIND_HELPER(name, obj, validator, type) \
--
2.20.1