提交 b580fbff 编写于 作者: T Takashi Iwai

ALSA: usb-audio: Add sanity checks in UAC3 clock parsers

The UAC3 clock parser codes lack of the sanity checks for malformed
descriptors like UAC2 parser does.  Without it, the driver may lead to
a potential crash.

Fixes: 9a2fe9b8 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
Tested-by: NRuslan Bilovol <ruslan.bilovol@gmail.com>
Reviewed-by: NRuslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
上级 f5d76e9c
...@@ -58,7 +58,7 @@ static bool validate_clock_source_v2(void *p, int id) ...@@ -58,7 +58,7 @@ static bool validate_clock_source_v2(void *p, int id)
static bool validate_clock_source_v3(void *p, int id) static bool validate_clock_source_v3(void *p, int id)
{ {
struct uac3_clock_source_descriptor *cs = p; struct uac3_clock_source_descriptor *cs = p;
return cs->bClockID == id; return cs->bLength == sizeof(*cs) && cs->bClockID == id;
} }
static bool validate_clock_selector_v2(void *p, int id) static bool validate_clock_selector_v2(void *p, int id)
...@@ -71,7 +71,8 @@ static bool validate_clock_selector_v2(void *p, int id) ...@@ -71,7 +71,8 @@ static bool validate_clock_selector_v2(void *p, int id)
static bool validate_clock_selector_v3(void *p, int id) static bool validate_clock_selector_v3(void *p, int id)
{ {
struct uac3_clock_selector_descriptor *cs = p; struct uac3_clock_selector_descriptor *cs = p;
return cs->bClockID == id; return cs->bLength >= sizeof(*cs) && cs->bClockID == id &&
cs->bLength == 11 + cs->bNrInPins;
} }
static bool validate_clock_multiplier_v2(void *p, int id) static bool validate_clock_multiplier_v2(void *p, int id)
...@@ -83,7 +84,7 @@ static bool validate_clock_multiplier_v2(void *p, int id) ...@@ -83,7 +84,7 @@ static bool validate_clock_multiplier_v2(void *p, int id)
static bool validate_clock_multiplier_v3(void *p, int id) static bool validate_clock_multiplier_v3(void *p, int id)
{ {
struct uac3_clock_multiplier_descriptor *cs = p; struct uac3_clock_multiplier_descriptor *cs = p;
return cs->bClockID == id; return cs->bLength == sizeof(*cs) && cs->bClockID == id;
} }
#define DEFINE_FIND_HELPER(name, obj, validator, type) \ #define DEFINE_FIND_HELPER(name, obj, validator, type) \
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册