Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1117b7a3 authored by Takashi Iwai's avatar Takashi Iwai Committed by Greg Kroah-Hartman
Browse files

ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() 



commit f4351a199cc120ff9d59e06d02e8657d08e6cc46 upstream.

The parser for the processing unit reads bNrInPins field before the
bLength sanity check, which may lead to an out-of-bound access when a
malformed descriptor is given.  Fix it by assignment after the bLength
check.

Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 89c7ba90

sound/usb/mixer.c

+8 −2
Original line number Diff line number Diff line
@@ -1888,7 +1888,7 @@ static int build_audio_procunit(struct mixer_build *state, int unitid, 
				char *name)

{

	struct uac_processing_unit_descriptor *desc = raw_desc;

	int num_ins = desc->bNrInPins;

	int num_ins;

	struct usb_mixer_elem_info *cval;

	struct snd_kcontrol *kctl;

	int i, err, nameid, type, len;
@@ -1903,7 +1903,13 @@ static int build_audio_procunit(struct mixer_build *state, int unitid, 
		0, NULL, default_value_info

	};



	if (desc->bLength < 13 || desc->bLength < 13 + num_ins ||

	if (desc->bLength < 13) {

		usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);

		return -EINVAL;

	}



	num_ins = desc->bNrInPins;

	if (desc->bLength < 13 + num_ins ||

	    desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) {

		usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);

		return -EINVAL;