From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Florian Hanisch <fhanisch@uni-potsdam.de>,
Matthew Robbetts <wingfeathera@gmail.com>,
Michael Beer <beerml@sigma6audio.de>,
Daniel Mack <daniel@caiaq.de>,
Clemens Ladisch <clemens@ladisch.de>,
Takashi Iwai <tiwai@suse.de>
Subject: [ 20/33] ALSA: usb-audio: fix invalid length check for RME and other UAC 2 devices
Date: Fri, 1 Feb 2013 11:49:25 +0100 [thread overview]
Message-ID: <20130201104726.099447391@linuxfoundation.org> (raw)
In-Reply-To: <20130201104724.605715763@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Clemens Ladisch <clemens@ladisch.de>
commit d56268fb108c7c21e19933588ca4d94652585183 upstream.
Commit 23caaf19b11e (ALSA: usb-mixer: Add support for Audio Class v2.0)
forgot to adjust the length check for UAC 2.0 feature unit descriptors.
This would make the code abort on encountering a feature unit without
per-channel controls, and thus prevented the driver to work with any
device having such a unit, such as the RME Babyface or Fireface UCX.
Reported-by: Florian Hanisch <fhanisch@uni-potsdam.de>
Tested-by: Matthew Robbetts <wingfeathera@gmail.com>
Tested-by: Michael Beer <beerml@sigma6audio.de>
Cc: Daniel Mack <daniel@caiaq.de>
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1239,16 +1239,23 @@ static int parse_audio_feature_unit(stru
}
channels = (hdr->bLength - 7) / csize - 1;
bmaControls = hdr->bmaControls;
+ if (hdr->bLength < 7 + csize) {
+ snd_printk(KERN_ERR "usbaudio: unit %u: "
+ "invalid UAC_FEATURE_UNIT descriptor\n",
+ unitid);
+ return -EINVAL;
+ }
} else {
struct uac2_feature_unit_descriptor *ftr = _ftr;
csize = 4;
channels = (hdr->bLength - 6) / 4 - 1;
bmaControls = ftr->bmaControls;
- }
-
- if (hdr->bLength < 7 || !csize || hdr->bLength < 7 + csize) {
- snd_printk(KERN_ERR "usbaudio: unit %u: invalid UAC_FEATURE_UNIT descriptor\n", unitid);
- return -EINVAL;
+ if (hdr->bLength < 6 + csize) {
+ snd_printk(KERN_ERR "usbaudio: unit %u: "
+ "invalid UAC_FEATURE_UNIT descriptor\n",
+ unitid);
+ return -EINVAL;
+ }
}
/* parse the source unit */
next prev parent reply other threads:[~2013-02-01 10:50 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-01 10:49 [ 00/33] 3.4.29-stable review Greg Kroah-Hartman
2013-02-01 10:49 ` [ 01/33] can: c_can: fix invalid error codes Greg Kroah-Hartman
2013-02-01 10:49 ` [ 02/33] can: ti_hecc: " Greg Kroah-Hartman
2013-02-01 10:49 ` [ 03/33] can: pch_can: " Greg Kroah-Hartman
2013-02-01 10:49 ` [ 04/33] fs/cifs/cifs_dfs_ref.c: fix potential memory leakage Greg Kroah-Hartman
2013-02-01 10:49 ` [ 05/33] ARM: DMA: Fix struct page iterator in dma_cache_maint() to work with sparsemem Greg Kroah-Hartman
2013-02-01 10:49 ` [ 06/33] ARM: at91: rm9200: remake the BGA as default version Greg Kroah-Hartman
2013-02-01 10:49 ` [ 07/33] ARM: 7627/1: Predicate preempt logic on PREEMP_COUNT not PREEMPT alone Greg Kroah-Hartman
2013-02-01 10:49 ` [ 08/33] Bluetooth: Fix sending HCI commands after reset Greg Kroah-Hartman
2013-02-01 10:49 ` [ 09/33] drm/radeon: fix cursor corruption on DCE6 and newer Greg Kroah-Hartman
2013-02-01 10:49 ` [ 10/33] radeon_display: Use pointer return error codes Greg Kroah-Hartman
2013-02-01 10:49 ` [ 11/33] IOMMU, AMD Family15h Model10-1Fh erratum 746 Workaround Greg Kroah-Hartman
2013-02-01 10:49 ` [ 12/33] xfs: Fix possible use-after-free with AIO Greg Kroah-Hartman
2013-02-01 10:49 ` Greg Kroah-Hartman
2013-02-01 10:49 ` [ 13/33] mwifiex: fix typo in PCIe adapter NULL check Greg Kroah-Hartman
2013-02-01 10:49 ` [ 14/33] iwlegacy: fix IBSS cleanup Greg Kroah-Hartman
2013-02-03 0:20 ` Ben Hutchings
2013-02-04 10:18 ` Stanislaw Gruszka
2013-02-01 10:49 ` [ 15/33] brcmsmac: increase timer reference count for new timers only Greg Kroah-Hartman
2013-02-01 10:49 ` [ 16/33] mac80211: fix FT roaming Greg Kroah-Hartman
2013-02-01 10:49 ` [ 17/33] ath9k_htc: Fix memory leak Greg Kroah-Hartman
2013-02-01 10:49 ` [ 18/33] ath9k: do not link receive buffers during flush Greg Kroah-Hartman
2013-02-01 10:49 ` [ 19/33] ath9k: fix double-free bug on beacon generate failure Greg Kroah-Hartman
2013-02-01 10:49 ` Greg Kroah-Hartman [this message]
2013-02-01 10:49 ` [ 21/33] ALSA: hda - Add a fixup for Packard-Bell desktop with ALC880 Greg Kroah-Hartman
2013-02-01 10:49 ` [ 22/33] EDAC: Test correct variable in ->store function Greg Kroah-Hartman
2013-02-01 10:49 ` [ 23/33] ASoC: wm2200: correct mixer values and text Greg Kroah-Hartman
2013-02-01 10:49 ` [ 24/33] Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() Greg Kroah-Hartman
2013-02-01 10:49 ` [ 25/33] iommu/intel: disable DMAR for g4x integrated gfx Greg Kroah-Hartman
2013-02-01 10:49 ` [ 26/33] mac80211: synchronize scan off/on-channel and PS states Greg Kroah-Hartman
2013-02-01 10:49 ` [ 27/33] NFS: Dont silently fail setattr() requests on mountpoints Greg Kroah-Hartman
2013-02-01 10:49 ` [ 28/33] smp: Fix SMP function call empty cpu mask race Greg Kroah-Hartman
2013-02-01 10:49 ` [ 29/33] x86/msr: Add capabilities check Greg Kroah-Hartman
2013-02-01 10:49 ` [ 30/33] efi, x86: Pass a proper identity mapping in efi_call_phys_prelog Greg Kroah-Hartman
2013-02-01 10:49 ` [ 31/33] x86, efi: Set runtime_version to the EFI spec revision Greg Kroah-Hartman
2013-02-01 10:49 ` [ 32/33] x86/Sandy Bridge: Sandy Bridge workaround depends on CONFIG_PCI Greg Kroah-Hartman
2013-02-01 10:49 ` [ 33/33] target: fix regression with dev_link_magic in target_fabric_port_link Greg Kroah-Hartman
2013-02-01 23:25 ` [ 00/33] 3.4.29-stable review Shuah Khan
2013-02-02 21:49 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130201104726.099447391@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=beerml@sigma6audio.de \
--cc=clemens@ladisch.de \
--cc=daniel@caiaq.de \
--cc=fhanisch@uni-potsdam.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
--cc=wingfeathera@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.