ALSA: ua101: fix division by zero at probe

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add the missing endpoint max-packet sanity check to probe() to avoid
division by zero in alloc_stream_buffers() in case a malicious device
has broken descriptors (or when doing descriptor fuzz testing).

Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).

Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
Cc: stable@vger.kernel.org # 2.6.34
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211026095401.26522-1-johan@kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>

authored by

Johan Hovold and committed by

Takashi Iwai 4 years ago 55f261b7 f4000b58

+2 -2

1 changed file

expand all

sound

usb

misc

ua101.c

+2 -2

sound/usb/misc/ua101.c

··· 1000 1000 fmt_playback->bSubframeSize * ua->playback.channels; 1001 1001 1002 1002 epd = &ua->intf[INTF_CAPTURE]->altsetting[1].endpoint[0].desc; 1003 - if (!usb_endpoint_is_isoc_in(epd)) { 1003 + if (!usb_endpoint_is_isoc_in(epd) || usb_endpoint_maxp(epd) == 0) { 1004 1004 dev_err(&ua->dev->dev, "invalid capture endpoint\n"); 1005 1005 return -ENXIO; 1006 1006 } ··· 1008 1008 ua->capture.max_packet_bytes = usb_endpoint_maxp(epd); 1009 1009 1010 1010 epd = &ua->intf[INTF_PLAYBACK]->altsetting[1].endpoint[0].desc; 1011 - if (!usb_endpoint_is_isoc_out(epd)) { 1011 + if (!usb_endpoint_is_isoc_out(epd) || usb_endpoint_maxp(epd) == 0) { 1012 1012 dev_err(&ua->dev->dev, "invalid playback endpoint\n"); 1013 1013 return -ENXIO; 1014 1014 }