diff options
| author | Maoyi Xie <maoyixie.tju@gmail.com> | 2026-06-18 14:03:15 +0800 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2026-06-18 12:37:50 +0200 |
| commit | 58fc1275b3f288500ee79a02dbe89ed4197fdc3e (patch) | |
| tree | 131a273dc1b6675a300c9aeb2483142b797ecf01 /mm/tests/git@git.tavy.me:linux.git | |
| parent | f7f3f9fd81e7adbaa12c2e62ee07f0e094a543fd (diff) | |
ALSA: caiaq: bound the length in the EP1 input parsers
snd_caiaq_input_read_erp() and snd_caiaq_input_read_io() can be reached
from snd_usb_caiaq_input_dispatch(). They read fixed byte offsets from
the reply buffer without checking the reported length. On a short reply
they decode stale bytes left from a previous, longer report and feed them
to the input layer.
This is not an out-of-bounds access. Every offset is a compile-time
driver constant. The largest is buf[21] in the Maschine ERP case. The
EP1 transfer buffer ep1_in_buf is EP1_BUFSIZE (64) bytes, and the USB
core caps actual_length at 64, so a short reply only reads in-bounds
stale data. Acting on data the device did not send is still wrong, so
bail out per usb_id case when the reply is shorter than the bytes that
case consumes.
read_erp: AK1 needs 2 bytes, Kore needs 16, Maschine needs 22.
read_io: the Kore case needs 5 bytes (buf[4]) and the Traktor Kontrol
X1 case needs 7 (buf[5]/buf[6]). The preceding key bit loop
is already bounded by "i < len * 8" and is left untouched.
snd_caiaq_input_read_analog() and snd_usb_caiaq_maschine_dispatch() are
not changed. Their callers already floor the reply length.
Suggested-by: Takashi Iwai <tiwai@suse.com>
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/178176259547.3343534.6659489917322808916@maoyixie.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'mm/tests/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions
