summaryrefslogtreecommitdiff
path: root/mm/tests/git@git.tavy.me:linux.git
diff options
context:
space:
mode:
authorMaoyi Xie <maoyixie.tju@gmail.com>2026-06-18 14:03:15 +0800
committerTakashi Iwai <tiwai@suse.de>2026-06-18 12:37:40 +0200
commitf7f3f9fd81e7adbaa12c2e62ee07f0e094a543fd (patch)
tree044d6e399ad9ae04f48a94276b550377b843d2e4 /mm/tests/git@git.tavy.me:linux.git
parent53d1ae7c20d97b08741d667ba54bb09d330eba3b (diff)
ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input parser
snd_usb_caiaq_tks4_dispatch() decodes the Traktor Kontrol S4 input stream in fixed 16-byte (TKS4_MSGBLOCK_SIZE) message blocks. On every iteration it advances buf and subtracts the block size while looping on "while (len)". len is urb->actual_length. That value is supplied by the device and is not guaranteed to be a multiple of 16. When a final short block leaves len between 1 and 15, the loop runs once more, reads up to buf[15], and then does "len -= TKS4_MSGBLOCK_SIZE". As len is unsigned this underflows to a huge value. The loop then keeps iterating and walking buf far past the end of the 512-byte ep4_in_buf, reading out of bounds until a bogus block id happens to be hit. Iterate only while a full message block is available. This stops the unsigned underflow and silently drops any trailing partial block, which carries no complete control value anyway. The sibling endpoint-4 parsers are not affected. The Traktor Kontrol X1 and Maschine arms in snd_usb_caiaq_ep4_reply_dispatch() floor urb->actual_length before dispatching. Fixes: 15c5ab607045 ("ALSA: snd-usb-caiaq: Add support for Traktor Kontrol S4") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Link: https://patch.msgid.link/178176259547.3343534.2724779296835237429@maoyixie.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'mm/tests/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions