ALSA: usb-audio: Add sanity checks in v2 clock parsers

commit 0a62d6c966956d77397c32836a5bbfe3af786fc1 upstream.

The helper functions to parse and look for the clock source, selector
and multiplier unit may return the descriptor with a too short length
than required, while there is no sanity check in the caller side.
Add some sanity checks in the parsers, at least, to guarantee the
given descriptor size, for avoiding the potential crashes.

Fixes: 79f920fbff56 ("ALSA: usb-audio: parse clock topology of UAC2 devices")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index 56216a23277f3d064cb0c1f2a67133da469739ac..09feedbd80c9dce89968eaa1381bd0cfd2975534 100644 (file)
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -43,7 +43,7 @@ static struct uac_clock_source_descriptor *
        while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
                                             ctrl_iface->extralen,
                                             cs, UAC2_CLOCK_SOURCE))) {
-               if (cs->bClockID == clock_id)
+               if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
                        return cs;
        }
 
@@ -59,8 +59,11 @@ static struct uac_clock_selector_descriptor *
        while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
                                             ctrl_iface->extralen,
                                             cs, UAC2_CLOCK_SELECTOR))) {
-               if (cs->bClockID == clock_id)
+               if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) {
+                       if (cs->bLength < 5 + cs->bNrInPins)
+                               return NULL;
                        return cs;
+               }
        }
 
        return NULL;
@@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descriptor *
        while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
                                             ctrl_iface->extralen,
                                             cs, UAC2_CLOCK_MULTIPLIER))) {
-               if (cs->bClockID == clock_id)
+               if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
                        return cs;
        }