Bluetooth: btusb: clamp SCO altsetting table indices

btusb_work() maps the number of active SCO links to USB alternate
settings through a three-entry lookup table when CVSD traffic uses
transparent voice settings. The lookup currently indexes alts[] with
data->sco_num - 1 without first constraining sco_num to the number of
available table entries.

While the table only defines alternate settings for up to three SCO
links, data->sco_num comes from hci_conn_num() and is used directly.
Cap the lookup to the last table entry before indexing it so the
driver keeps selecting the highest supported alternate setting without
reading past alts[].

Fixes: baac6276c0a9 ("Bluetooth: btusb: handle mSBC audio over USB Endpoints")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index a1c5eb993e478a4fe7e42509ac23795bbfadb75c..5c535f3ab7228607568476adcc4a2314ec6c83c2 100644 (file)
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2376,8 +2376,11 @@ static void btusb_work(struct work_struct *work)
                if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) {
                        if (hdev->voice_setting & 0x0020) {
                                static const int alts[3] = { 2, 4, 5 };
+                               unsigned int sco_idx;
 
-                               new_alts = alts[data->sco_num - 1];
+                               sco_idx = min_t(unsigned int, data->sco_num - 1,
+                                               ARRAY_SIZE(alts) - 1);
+                               new_alts = alts[sco_idx];
                        } else {
                                new_alts = data->sco_num;
                        }