| Message ID | 20180404053621.32539-4-tiwai@suse.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Hi Takashi, On Wed, Apr 4, 2018 at 8:36 AM, Takashi Iwai <tiwai@suse.de> wrote: > The UAC3 clock parser codes lack of the sanity checks for malformed > descriptors like UAC2 parser does. Without it, the driver may lead to > a potential crash. > > Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support") > Signed-off-by: Takashi Iwai <tiwai@suse.de> > --- > sound/usb/clock.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/sound/usb/clock.c b/sound/usb/clock.c > index 5e533edfb092..177c6017e22c 100644 > --- a/sound/usb/clock.c > +++ b/sound/usb/clock.c > @@ -58,7 +58,7 @@ static bool validate_clock_source_v2(void *p, int id) > static bool validate_clock_source_v3(void *p, int id) > { > struct uac3_clock_source_descriptor *cs = p; > - return cs->bClockID == id; > + return cs->bLength == sizeof(*cs) && cs->bClockID == id; > } > > static bool validate_clock_selector_v2(void *p, int id) > @@ -71,7 +71,8 @@ static bool validate_clock_selector_v2(void *p, int id) > static bool validate_clock_selector_v3(void *p, int id) > { > struct uac3_clock_selector_descriptor *cs = p; > - return cs->bClockID == id; > + return cs->bLength == sizeof(*cs) && cs->bClockID == id && > + cs->bLength == 5 + cs->bNrInPins; Same comments as for UAC2 patch, but in this case bLength should be "11 + bNrInPins", so finally it should looks like: return cs->bLength >= sizeof(*cs) && cs->bClockID == id && cs->bLength == 11 + cs->bNrInPins; Thanks, Ruslan > } > > static bool validate_clock_multiplier_v2(void *p, int id) > @@ -83,7 +84,7 @@ static bool validate_clock_multiplier_v2(void *p, int id) > static bool validate_clock_multiplier_v3(void *p, int id) > { > struct uac3_clock_multiplier_descriptor *cs = p; > - return cs->bClockID == id; > + return cs->bLength == sizeof(*cs) && cs->bClockID == id; > } > > #define DEFINE_FIND_HELPER(name, obj, validator, type) \ > -- > 2.16.2 >
diff --git a/sound/usb/clock.c b/sound/usb/clock.c index 5e533edfb092..177c6017e22c 100644 --- a/sound/usb/clock.c +++ b/sound/usb/clock.c @@ -58,7 +58,7 @@ static bool validate_clock_source_v2(void *p, int id) static bool validate_clock_source_v3(void *p, int id) { struct uac3_clock_source_descriptor *cs = p; - return cs->bClockID == id; + return cs->bLength == sizeof(*cs) && cs->bClockID == id; } static bool validate_clock_selector_v2(void *p, int id) @@ -71,7 +71,8 @@ static bool validate_clock_selector_v2(void *p, int id) static bool validate_clock_selector_v3(void *p, int id) { struct uac3_clock_selector_descriptor *cs = p; - return cs->bClockID == id; + return cs->bLength == sizeof(*cs) && cs->bClockID == id && + cs->bLength == 5 + cs->bNrInPins; } static bool validate_clock_multiplier_v2(void *p, int id) @@ -83,7 +84,7 @@ static bool validate_clock_multiplier_v2(void *p, int id) static bool validate_clock_multiplier_v3(void *p, int id) { struct uac3_clock_multiplier_descriptor *cs = p; - return cs->bClockID == id; + return cs->bLength == sizeof(*cs) && cs->bClockID == id; } #define DEFINE_FIND_HELPER(name, obj, validator, type) \
The UAC3 clock parser codes lack of the sanity checks for malformed descriptors like UAC2 parser does. Without it, the driver may lead to a potential crash. Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support") Signed-off-by: Takashi Iwai <tiwai@suse.de> --- sound/usb/clock.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)