From: Cássio Gabriel Date: Fri, 24 Apr 2026 21:50:10 +0000 (-0300) Subject: ALSA: usb-audio: Fix UAC3 cluster descriptor size check X-Git-Tag: v7.1-rc2~24^2~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26265dd69da32d88a88d21987853cec899d9e21f;p=thirdparty%2Fkernel%2Flinux.git ALSA: usb-audio: Fix UAC3 cluster descriptor size check The UAC3 cluster descriptor length check in snd_usb_get_audioformat_uac3()was added to make sure that the buffer is large enough for a struct uac3_cluster_header_descriptor before the returned data is cast and used. However, the check uses sizeof(cluster), where cluster is a pointer, not the size of the descriptor header. This makes the validation depend on the architecture pointer size and does not match the intended object size. Check against sizeof(*cluster) instead. Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()") Cc: stable@vger.kernel.org Signed-off-by: Cássio Gabriel Link: https://patch.msgid.link/20260424-alsa-usb-uac3-cluster-size-v1-1-99a5808898a3@gmail.com Signed-off-by: Takashi Iwai --- diff --git a/sound/usb/stream.c b/sound/usb/stream.c index 2532bf97e05e..6c51226f771b 100644 --- a/sound/usb/stream.c +++ b/sound/usb/stream.c @@ -1003,7 +1003,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip, * and request Cluster Descriptor */ wLength = le16_to_cpu(hc_header.wLength); - if (wLength < sizeof(cluster)) + if (wLength < sizeof(*cluster)) return NULL; cluster = kzalloc(wLength, GFP_KERNEL); if (!cluster)