ALSA: FCP: Fix NULL pointer dereference in interface lookup

A malformed USB device can provide a vendor-specific interface without
any endpoint descriptors. fcp_find_fc_interface() currently selects the
first vendor-specific interface and reads endpoint 0 from it, without
checking whether the interface actually has any endpoints.

When bNumEndpoints is zero, no endpoint array is allocated for the parsed
alternate setting, so get_endpoint(..., 0) yields an invalid endpoint
descriptor pointer. Dereferencing it through usb_endpoint_num() then
triggers a NULL pointer dereference.

Skip vendor-specific interfaces that do not have any endpoints.

Fixes: 46757a3e7d50 ("ALSA: FCP: Add Focusrite Control Protocol driver")
Reported-by: Jiaming Zhang <r772577952@gmail.com>
Closes: https://lore.kernel.org/lkml/CANypQFb1EHj0xX8bA1WxSOSK-5xca6ZNKzOQcp12=s=puY7VFw@mail.gmail.com/
Signed-off-by: Jiaming Zhang <r772577952@gmail.com>
Link: https://patch.msgid.link/20260625134933.425785-1-r772577952@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/usb/fcp.c b/sound/usb/fcp.c
index ea746bdb36ffcfc48b7ac08f69110463cc96ecb9..6f5dcd35e1d4a18247e97b2eaa74ff87aa74a476 100644 (file)
--- a/sound/usb/fcp.c
+++ b/sound/usb/fcp.c
@@ -1083,6 +1083,8 @@ static int fcp_find_fc_interface(struct usb_mixer_interface *mixer)
 
                if (desc->bInterfaceClass != 255)
                        continue;
+               if (desc->bNumEndpoints < 1)
+                       continue;
 
                epd = get_endpoint(intf->altsetting, 0);
                private->bInterfaceNumber = desc->bInterfaceNumber;