diff options
author | Takashi Iwai <tiwai@suse.de> | 2019-08-20 17:17:09 +0200 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2019-08-22 10:35:59 +0200 |
commit | 57f8770620e9b51c61089751f0b5ad3dbe376ff2 (patch) | |
tree | 3302223d107681aa8b7558e68fdf1bf322cdc4b4 /sound/usb/mixer.c | |
parent | f9f0e9ed350e15d51ad07364b4cf910de50c472a (diff) |
ALSA: usb-audio: More validations of descriptor units
Introduce a new helper to validate each audio descriptor unit before
and check the unit before actually accessing it. This should harden
against the OOB access cases with malformed descriptors that have been
recently frequently reported by fuzzers.
The existing descriptor checks are still kept although they become
superfluous after this patch. They'll be cleaned up eventually
later.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/usb/mixer.c')
-rw-r--r-- | sound/usb/mixer.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index eceab19766db..a1093fb9bf09 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -785,6 +785,8 @@ static int __check_input_term(struct mixer_build *state, int id, p1 = find_audio_control_unit(state, id); if (!p1) break; + if (!snd_usb_validate_audio_desc(p1, protocol)) + break; /* bad descriptor */ hdr = p1; term->id = id; @@ -2775,6 +2777,11 @@ static int parse_audio_unit(struct mixer_build *state, int unitid) return -EINVAL; } + if (!snd_usb_validate_audio_desc(p1, protocol)) { + usb_audio_dbg(state->chip, "invalid unit %d\n", unitid); + return 0; /* skip invalid unit */ + } + if (protocol == UAC_VERSION_1 || protocol == UAC_VERSION_2) { switch (p1[2]) { case UAC_INPUT_TERMINAL: @@ -3145,6 +3152,9 @@ static int snd_usb_mixer_controls(struct usb_mixer_interface *mixer) while ((p = snd_usb_find_csint_desc(mixer->hostif->extra, mixer->hostif->extralen, p, UAC_OUTPUT_TERMINAL)) != NULL) { + if (!snd_usb_validate_audio_desc(p, mixer->protocol)) + continue; /* skip invalid descriptor */ + if (mixer->protocol == UAC_VERSION_1) { struct uac1_output_terminal_descriptor *desc = p; |