[alsa-devel] [PATCH 2/2] ALSA: usb-audio: Add sanity checks in v3 clock parsers
Takashi Iwai
tiwai at suse.de
Tue Apr 3 17:48:08 CEST 2018
The UAC3 clock parser codes lack of the sanity checks for malformed
descriptors like UAC2 parser does. Without it, the driver may lead to
a potential crash.
Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
Signed-off-by: Takashi Iwai <tiwai at suse.de>
---
sound/usb/clock.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index c5f0cf532c0c..169fb3ac3715 100644
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -58,7 +58,7 @@ static bool validate_clock_source_v2(void *p, int id)
static bool validate_clock_source_v3(void *p, int id)
{
struct uac3_clock_source_descriptor *cs = p;
- return cs->bClockID == id;
+ return cs->bLength >= sizeof(*cs) && cs->bClockID == id;
}
static bool validate_clock_selector_v2(void *p, int id)
@@ -71,7 +71,8 @@ static bool validate_clock_selector_v2(void *p, int id)
static bool validate_clock_selector_v3(void *p, int id)
{
struct uac3_clock_selector_descriptor *cs = p;
- return cs->bClockID == id;
+ return cs->bLength >= sizeof(*cs) && cs->bClockID == id &&
+ cs->bLength >= 5 + cs->bNrInPins;
}
static bool validate_clock_multiplier_v2(void *p, int id)
@@ -83,7 +84,7 @@ static bool validate_clock_multiplier_v2(void *p, int id)
static bool validate_clock_multiplier_v3(void *p, int id)
{
struct uac3_clock_multiplier_descriptor *cs = p;
- return cs->bClockID == id;
+ return cs->bLength >= sizeof(*cs) && cs->bClockID == id;
}
#define DEFINE_FIND_HELPER(name, obj, validator, type) \
--
2.16.2
More information about the Alsa-devel
mailing list