ALSA: usb-audio: Add sanity checks in UAC3 clock parsers

The UAC3 clock parser codes lack of the sanity checks for malformed
descriptors like UAC2 parser does.  Without it, the driver may lead to
a potential crash.

Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
Tested-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Reviewed-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index 30cfd5b1bdfbbb06816061ef4d81dcae581dfe69..0b030d8fe3fa2c89d330981a7aa4ce69311cb6a9 100644 (file)
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -58,7 +58,7 @@ static bool validate_clock_source_v2(void *p, int id)
 static bool validate_clock_source_v3(void *p, int id)
 {
        struct uac3_clock_source_descriptor *cs = p;
-       return cs->bClockID == id;
+       return cs->bLength == sizeof(*cs) && cs->bClockID == id;
 }
 
 static bool validate_clock_selector_v2(void *p, int id)
@@ -71,7 +71,8 @@ static bool validate_clock_selector_v2(void *p, int id)
 static bool validate_clock_selector_v3(void *p, int id)
 {
        struct uac3_clock_selector_descriptor *cs = p;
-       return cs->bClockID == id;
+       return cs->bLength >= sizeof(*cs) && cs->bClockID == id &&
+               cs->bLength == 11 + cs->bNrInPins;
 }
 
 static bool validate_clock_multiplier_v2(void *p, int id)
@@ -83,7 +84,7 @@ static bool validate_clock_multiplier_v2(void *p, int id)
 static bool validate_clock_multiplier_v3(void *p, int id)
 {
        struct uac3_clock_multiplier_descriptor *cs = p;
-       return cs->bClockID == id;
+       return cs->bLength == sizeof(*cs) && cs->bClockID == id;
 }
 
 #define DEFINE_FIND_HELPER(name, obj, validator, type)         \