ALSA: scarlett2: Fix buffer overflow in config retrieval

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The scarlett2_usb_get_config() function has a logic error in the
endianness conversion code that can cause buffer overflows when
count > 1.

The code checks `if (size == 2)` where `size` is the total buffer size in
bytes, then loops `count` times treating each element as u16 (2 bytes).
This causes the loop to access `count * 2` bytes when the buffer only
has `size` bytes allocated.

Fix by checking the element size (config_item->size) instead of the
total buffer size. This ensures the endianness conversion matches the
actual element type.

Fixes: ac34df733d2d ("ALSA: usb-audio: scarlett2: Update get_config to do endian conversion")
Cc: stable@vger.kernel.org
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Link: https://patch.msgid.link/20260117012706.1715574-1-samasth.norway.ananda@oracle.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

authored by

Samasth Norway Ananda and committed by

Takashi Iwai 2 months ago 6f5c69f7 6b971191

+3 -3

1 changed file

expand all

sound

usb

mixer_scarlett2.c

+3 -3

sound/usb/mixer_scarlett2.c

··· 2533 2533 err = scarlett2_usb_get(mixer, config_item->offset, buf, size); 2534 2534 if (err < 0) 2535 2535 return err; 2536 - if (size == 2) { 2536 + if (config_item->size == 16) { 2537 2537 u16 *buf_16 = buf; 2538 2538 2539 2539 for (i = 0; i < count; i++, buf_16++) 2540 2540 *buf_16 = le16_to_cpu(*(__le16 *)buf_16); 2541 - } else if (size == 4) { 2542 - u32 *buf_32 = buf; 2541 + } else if (config_item->size == 32) { 2542 + u32 *buf_32 = (u32 *)buf; 2543 2543 2544 2544 for (i = 0; i < count; i++, buf_32++) 2545 2545 *buf_32 = le32_to_cpu(*(__le32 *)buf_32);