On Fri, Oct 12, 2018 at 04:48:23PM +0300, Dan Carpenter wrote:
966 /* 967 * Second step: allocate needed amount of memory 968 * and request Cluster Descriptor 969 */ 970 wLength = le16_to_cpu(hc_header.wLength); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ My private build of Smatch complains that all le16_to_cpu() data probably comes from untrusted sources.
971 cluster = kzalloc(wLength, GFP_KERNEL); ^^^^^^^ Maybe we're not allocating enough bytes for the cluster struct (8 bytes).
972 if (!cluster) 973 return ERR_PTR(-ENOMEM); 974 err = snd_usb_ctl_msg(chip->dev, 975 usb_rcvctrlpipe(chip->dev, 0), 976 UAC3_CS_REQ_HIGH_CAPABILITY_DESCRIPTOR, 977 USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN, 978 cluster_id, 979 snd_usb_ctrl_intf(chip), 980 cluster, wLength);
^^^^^^^
Also I just wanted to note as well that cluser->wLength is set by the USB device here and we don't have a good reason to assume it's valid.
981 if (err < 0) { 982 kfree(cluster); 983 return ERR_PTR(err); 984 } else if (err != wLength) { 985 dev_err(&dev->dev, 986 "%u:%d : can't get Cluster Descriptor\n", 987 iface_no, altno); 988 kfree(cluster); 989 return ERR_PTR(-EIO); 990 } 991 992 num_channels = cluster->bNrChannels; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 993 chmap = convert_chmap_v3(cluster); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
But we trust it in convert_chmap_v3() so that's a second potential out of bounds.
regards, dan carpenter