diff options
| author | Maoyi Xie <maoyixie.tju@gmail.com> | 2026-06-18 14:03:15 +0800 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2026-06-18 12:37:40 +0200 |
| commit | f7f3f9fd81e7adbaa12c2e62ee07f0e094a543fd (patch) | |
| tree | 044d6e399ad9ae04f48a94276b550377b843d2e4 /mm/tests/git@git.tavy.me:linux.git | |
| parent | 53d1ae7c20d97b08741d667ba54bb09d330eba3b (diff) | |
ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input parser
snd_usb_caiaq_tks4_dispatch() decodes the Traktor Kontrol S4 input
stream in fixed 16-byte (TKS4_MSGBLOCK_SIZE) message blocks. On every
iteration it advances buf and subtracts the block size while looping on
"while (len)".
len is urb->actual_length. That value is supplied by the device and is
not guaranteed to be a multiple of 16. When a final short block leaves
len between 1 and 15, the loop runs once more, reads up to buf[15], and
then does "len -= TKS4_MSGBLOCK_SIZE". As len is unsigned this underflows
to a huge value. The loop then keeps iterating and walking buf far past
the end of the 512-byte ep4_in_buf, reading out of bounds until a bogus
block id happens to be hit.
Iterate only while a full message block is available. This stops the
unsigned underflow and silently drops any trailing partial block, which
carries no complete control value anyway.
The sibling endpoint-4 parsers are not affected. The Traktor Kontrol X1
and Maschine arms in snd_usb_caiaq_ep4_reply_dispatch() floor
urb->actual_length before dispatching.
Fixes: 15c5ab607045 ("ALSA: snd-usb-caiaq: Add support for Traktor Kontrol S4")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/178176259547.3343534.2724779296835237429@maoyixie.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'mm/tests/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions
