From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Florian Hanisch <fhanisch@uni-potsdam.de>,
Matthew Robbetts <wingfeathera@gmail.com>,
Michael Beer <beerml@sigma6audio.de>,
Daniel Mack <daniel@caiaq.de>,
Clemens Ladisch <clemens@ladisch.de>,
Takashi Iwai <tiwai@suse.de>
Subject: [ 09/15] ALSA: usb-audio: fix invalid length check for RME and other UAC 2 devices
Date: Fri, 1 Feb 2013 11:48:42 +0100 [thread overview]
Message-ID: <20130201104757.141048264@linuxfoundation.org> (raw)
In-Reply-To: <20130201104756.470588207@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Clemens Ladisch <clemens@ladisch.de>
commit d56268fb108c7c21e19933588ca4d94652585183 upstream.
Commit 23caaf19b11e (ALSA: usb-mixer: Add support for Audio Class v2.0)
forgot to adjust the length check for UAC 2.0 feature unit descriptors.
This would make the code abort on encountering a feature unit without
per-channel controls, and thus prevented the driver to work with any
device having such a unit, such as the RME Babyface or Fireface UCX.
Reported-by: Florian Hanisch <fhanisch@uni-potsdam.de>
Tested-by: Matthew Robbetts <wingfeathera@gmail.com>
Tested-by: Michael Beer <beerml@sigma6audio.de>
Cc: Daniel Mack <daniel@caiaq.de>
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1238,16 +1238,23 @@ static int parse_audio_feature_unit(stru
}
channels = (hdr->bLength - 7) / csize - 1;
bmaControls = hdr->bmaControls;
+ if (hdr->bLength < 7 + csize) {
+ snd_printk(KERN_ERR "usbaudio: unit %u: "
+ "invalid UAC_FEATURE_UNIT descriptor\n",
+ unitid);
+ return -EINVAL;
+ }
} else {
struct uac2_feature_unit_descriptor *ftr = _ftr;
csize = 4;
channels = (hdr->bLength - 6) / 4 - 1;
bmaControls = ftr->bmaControls;
- }
-
- if (hdr->bLength < 7 || !csize || hdr->bLength < 7 + csize) {
- snd_printk(KERN_ERR "usbaudio: unit %u: invalid UAC_FEATURE_UNIT descriptor\n", unitid);
- return -EINVAL;
+ if (hdr->bLength < 6 + csize) {
+ snd_printk(KERN_ERR "usbaudio: unit %u: "
+ "invalid UAC_FEATURE_UNIT descriptor\n",
+ unitid);
+ return -EINVAL;
+ }
}
/* parse the source unit */
next prev parent reply other threads:[~2013-02-01 10:48 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20130201104756.470588207@linuxfoundation.org>
2013-02-01 10:48 ` [ 01/15] can: c_can: fix invalid error codes Greg Kroah-Hartman
2013-02-01 10:48 ` [ 02/15] can: ti_hecc: " Greg Kroah-Hartman
2013-02-01 10:48 ` [ 03/15] can: pch_can: " Greg Kroah-Hartman
2013-02-01 10:48 ` [ 04/15] fs/cifs/cifs_dfs_ref.c: fix potential memory leakage Greg Kroah-Hartman
2013-02-01 10:48 ` [ 05/15] ARM: DMA: Fix struct page iterator in dma_cache_maint() to work with sparsemem Greg Kroah-Hartman
2013-02-01 10:48 ` [ 06/15] Bluetooth: Fix sending HCI commands after reset Greg Kroah-Hartman
2013-02-01 10:48 ` [ 07/15] ath9k_htc: Fix memory leak Greg Kroah-Hartman
2013-02-01 10:48 ` [ 08/15] ath9k: fix double-free bug on beacon generate failure Greg Kroah-Hartman
2013-02-01 10:48 ` Greg Kroah-Hartman [this message]
2013-02-01 10:48 ` [ 10/15] EDAC: Test correct variable in ->store function Greg Kroah-Hartman
2013-02-01 10:48 ` [ 11/15] Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() Greg Kroah-Hartman
2013-02-01 10:48 ` [ 12/15] smp: Fix SMP function call empty cpu mask race Greg Kroah-Hartman
2013-02-01 10:48 ` [ 13/15] x86/msr: Add capabilities check Greg Kroah-Hartman
2013-02-01 10:48 ` [ 14/15] efi, x86: Pass a proper identity mapping in efi_call_phys_prelog Greg Kroah-Hartman
2013-02-01 10:48 ` [ 15/15] x86/Sandy Bridge: Sandy Bridge workaround depends on CONFIG_PCI Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130201104757.141048264@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=beerml@sigma6audio.de \
--cc=clemens@ladisch.de \
--cc=daniel@caiaq.de \
--cc=fhanisch@uni-potsdam.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
--cc=wingfeathera@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).