Commit 8e5c3482 authored by Takashi Iwai's avatar Takashi Iwai Committed by Ben Hutchings

ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()

commit 0f886ca1 upstream.

create_fixed_stream_quirk() may cause a NULL-pointer dereference by
accessing the non-existing endpoint when a USB device with a malformed
USB descriptor is used.

This patch avoids it simply by adding a sanity check of bNumEndpoints
before the accesses.

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.2:
 - There's no altsd variable
 - Adjust context]
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 1b8363d0
...@@ -165,6 +165,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, ...@@ -165,6 +165,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
return -EINVAL; return -EINVAL;
} }
alts = &iface->altsetting[fp->altset_idx]; alts = &iface->altsetting[fp->altset_idx];
if (get_iface_desc(alts)->bNumEndpoints < 1) {
kfree(fp);
kfree(rate_table);
return -EINVAL;
}
fp->datainterval = snd_usb_parse_datainterval(chip, alts); fp->datainterval = snd_usb_parse_datainterval(chip, alts);
fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize); fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
usb_set_interface(chip->dev, fp->iface, 0); usb_set_interface(chip->dev, fp->iface, 0);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment