tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ALSA: usb-audio: Fix UAC3 cluster descriptor size check

The UAC3 cluster descriptor length check in
snd_usb_get_audioformat_uac3()was added to
make sure that the buffer is large enough for
a struct uac3_cluster_header_descriptor before the
returned data is cast and used.

However, the check uses sizeof(cluster), where cluster
is a pointer, not the size of the descriptor header.
This makes the validation depend on the architecture
pointer size and does not match the intended object size.

Check against sizeof(*cluster) instead.

Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260424-alsa-usb-uac3-cluster-size-v1-1-99a5808898a3@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

authored by

Cássio Gabriel and committed by
Takashi Iwai 26265dd6 e5c33cdc

+1 -1
+1 -1
sound/usb/stream.c
··· 1003 1003 * and request Cluster Descriptor 1004 1004 */ 1005 1005 wLength = le16_to_cpu(hc_header.wLength); 1006 - if (wLength < sizeof(cluster)) 1006 + if (wLength < sizeof(*cluster)) 1007 1007 return NULL; 1008 1008 cluster = kzalloc(wLength, GFP_KERNEL); 1009 1009 if (!cluster)