git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Cássio Gabriel <cassiogabrielcontato@gmail.com>
	Thu, 7 May 2026 03:40:51 +0000 (00:40 -0300)
committer	Takashi Iwai <tiwai@suse.de>
	Thu, 7 May 2026 10:58:09 +0000 (12:58 +0200)
commit	d6854daa67be623860f4e1873fd3d3c275aba4ed
tree	ea00b42d32789864b91fc69d68659e75104f72ec	tree \| snapshot
parent	91892231ae5e638326e7eaa0174de86fac9aa5fd	commit \| diff

ALSA: usb-audio: Bound MIDI endpoint descriptor scans

snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint
descriptor size before using baAssocJackID[], but the descriptor walker can
still return a class-specific endpoint descriptor whose bLength exceeds the
remaining bytes in the endpoint-extra scan.

That leaves later flexible-array reads bounded by bLength, but not by the
remaining bytes in the endpoint-extra scan.

Stop walking when bLength is zero or
extends past the remaining endpoint-extra scan.

Fixes: 5c6cd7021a05 ("ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260507-usb-midi-endpoint-scan-bounds-v1-1-329d7348160e@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>