ALSA: ua101: Reject too-short USB descriptors

find_format_descriptor() walks the class-specific interface extras by
advancing with bLength. It rejects descriptors that extend past the
remaining buffer, but it does not reject descriptor lengths smaller than
a USB descriptor header.

Reject too-short descriptors before using bLength to advance the local
scan. This keeps the UA-101 parser robust against malformed descriptor
data and matches the usual USB descriptor walking rules.

Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260519-alsa-ua101-desc-len-v1-1-4307d1a5e054@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/usb/misc/ua101.c b/sound/usb/misc/ua101.c
index d129b42eb979d05c88d6eb0f4f169e3e9e136175..b9a62e94e06cbd0b04d938f072d45cae4cf990b4 100644 (file)
--- a/sound/usb/misc/ua101.c
+++ b/sound/usb/misc/ua101.c
@@ -894,8 +894,9 @@ find_format_descriptor(struct usb_interface *interface)
                struct uac_format_type_i_discrete_descriptor *desc;
 
                desc = (struct uac_format_type_i_discrete_descriptor *)extra;
-               if (desc->bLength > extralen) {
-                       dev_err(&interface->dev, "descriptor overflow\n");
+               if (desc->bLength < sizeof(struct usb_descriptor_header) ||
+                   desc->bLength > extralen) {
+                       dev_err(&interface->dev, "invalid descriptor length\n");
                        return NULL;
                }
                if (desc->bLength == UAC_FORMAT_TYPE_I_DISCRETE_DESC_SIZE(1) &&