From patchwork Wed Apr  4 05:36:21 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
X-Patchwork-Id: 10322103
Return-Path: <alsa-devel-bounces@alsa-project.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	56C7760390 for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed,  4 Apr 2018 05:36:35 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4578928D6C
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed,  4 Apr 2018 05:36:35 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3A44328DBB; Wed,  4 Apr 2018 05:36:35 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE
	autolearn=ham version=3.3.1
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5D5FA28D6C
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed,  4 Apr 2018 05:36:29 +0000 (UTC)
Received: from alsa0.perex.cz (localhost [127.0.0.1])
	by alsa0.perex.cz (Postfix) with ESMTP id EB86F26763D;
	Wed,  4 Apr 2018 07:36:27 +0200 (CEST)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 9BE4F267647; Wed,  4 Apr 2018 07:36:25 +0200 (CEST)
Received: from mx2.suse.de (mx2.suse.de [195.135.220.15])
	by alsa0.perex.cz (Postfix) with ESMTP id DD43326763D
	for <alsa-devel@alsa-project.org>;
	Wed,  4 Apr 2018 07:36:23 +0200 (CEST)
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254])
	by mx2.suse.de (Postfix) with ESMTP id 68888AE1B;
	Wed,  4 Apr 2018 05:36:23 +0000 (UTC)
From: Takashi Iwai <tiwai@suse.de>
To: alsa-devel@alsa-project.org
Date: Wed,  4 Apr 2018 07:36:21 +0200
Message-Id: <20180404053621.32539-4-tiwai@suse.de>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180404053621.32539-1-tiwai@suse.de>
References: <20180404053621.32539-1-tiwai@suse.de>
Cc: Andrew Chant <achant@google.com>,
	Ruslan Bilovol <ruslan.bilovol@gmail.com>
Subject: [alsa-devel] [PATCH v2 3/3] ALSA: usb-audio: Add sanity checks in
	UAC3 clock parsers
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

The UAC3 clock parser codes lack of the sanity checks for malformed
descriptors like UAC2 parser does.  Without it, the driver may lead to
a potential crash.

Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/usb/clock.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index 5e533edfb092..177c6017e22c 100644
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -58,7 +58,7 @@ static bool validate_clock_source_v2(void *p, int id)
 static bool validate_clock_source_v3(void *p, int id)
 {
 	struct uac3_clock_source_descriptor *cs = p;
-	return cs->bClockID == id;
+	return cs->bLength == sizeof(*cs) && cs->bClockID == id;
 }
 
 static bool validate_clock_selector_v2(void *p, int id)
@@ -71,7 +71,8 @@ static bool validate_clock_selector_v2(void *p, int id)
 static bool validate_clock_selector_v3(void *p, int id)
 {
 	struct uac3_clock_selector_descriptor *cs = p;
-	return cs->bClockID == id;
+	return cs->bLength == sizeof(*cs) && cs->bClockID == id &&
+		cs->bLength == 5 + cs->bNrInPins;
 }
 
 static bool validate_clock_multiplier_v2(void *p, int id)
@@ -83,7 +84,7 @@ static bool validate_clock_multiplier_v2(void *p, int id)
 static bool validate_clock_multiplier_v3(void *p, int id)
 {
 	struct uac3_clock_multiplier_descriptor *cs = p;
-	return cs->bClockID == id;
+	return cs->bLength == sizeof(*cs) && cs->bClockID == id;
 }
 
 #define DEFINE_FIND_HELPER(name, obj, validator, type)		\