File tree 1 file changed +20
-0
lines changed
1 file changed +20
-0
lines changed Original file line number Diff line number Diff line change @@ -221,6 +221,7 @@ static int snd_usb_create_streams(struct snd_usb_audio *chip, int ctrlif)
221221 struct usb_interface_descriptor * altsd ;
222222 void * control_header ;
223223 int i , protocol ;
224+ int rest_bytes ;
224225
225226 /* find audiocontrol interface */
226227 host_iface = & usb_ifnum_to_if (dev , ctrlif )-> altsetting [0 ];
@@ -235,6 +236,15 @@ static int snd_usb_create_streams(struct snd_usb_audio *chip, int ctrlif)
235236 return - EINVAL ;
236237 }
237238
239+ rest_bytes = (void * )(host_iface -> extra + host_iface -> extralen ) -
240+ control_header ;
241+
242+ /* just to be sure -- this shouldn't hit at all */
243+ if (rest_bytes <= 0 ) {
244+ dev_err (& dev -> dev , "invalid control header\n" );
245+ return - EINVAL ;
246+ }
247+
238248 switch (protocol ) {
239249 default :
240250 dev_warn (& dev -> dev ,
@@ -245,11 +255,21 @@ static int snd_usb_create_streams(struct snd_usb_audio *chip, int ctrlif)
245255 case UAC_VERSION_1 : {
246256 struct uac1_ac_header_descriptor * h1 = control_header ;
247257
258+ if (rest_bytes < sizeof (* h1 )) {
259+ dev_err (& dev -> dev , "too short v1 buffer descriptor\n" );
260+ return - EINVAL ;
261+ }
262+
248263 if (!h1 -> bInCollection ) {
249264 dev_info (& dev -> dev , "skipping empty audio interface (v1)\n" );
250265 return - EINVAL ;
251266 }
252267
268+ if (rest_bytes < h1 -> bLength ) {
269+ dev_err (& dev -> dev , "invalid buffer length (v1)\n" );
270+ return - EINVAL ;
271+ }
272+
253273 if (h1 -> bLength < sizeof (* h1 ) + h1 -> bInCollection ) {
254274 dev_err (& dev -> dev , "invalid UAC_HEADER (v1)\n" );
255275 return - EINVAL ;
You can’t perform that action at this time.
0 commit comments