ALSA: usb-audio: Fix potential out-of-bound access at parsing SU

The usb-audio driver may trigger an out-of-bound access at parsing a malformed selector unit, as it checks the header length only after evaluating bNrInPins field, which can be already above the given length. Fix it by adding the length check beforehand. Fixes: 99fc864 ("ALSA: usb-mixer: parse descriptors with structs") Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
mariux64 · Nov 21, 2017 · f658f17 · f658f17
1 parent d937cd6
commit f658f17
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
@@ -2098,7 +2098,8 @@ static int parse_audio_selector_unit(struct mixer_build *state, int unitid,
 	const struct usbmix_name_map *map;
 	char **namelist;
 
-	if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) {
+	if (desc->bLength < 5 || !desc->bNrInPins ||
+	    desc->bLength < 5 + desc->bNrInPins) {
 		usb_audio_err(state->chip,
 			"invalid SELECTOR UNIT descriptor %d\n", unitid);
 		return -EINVAL;