From: Takashi Iwai tiwai@suse.de
commit e84749a78dc82bc545f12ce009e3dbcc2c5a8a91 upstream.
snd_usbmidi_get_ms_info() may access beyond the border when a malformed descriptor is passed. This patch adds the sanity checks of the given MS endpoint descriptors, and skips invalid ones.
Reported-by: syzbot+6bb23a5d5548b93c94aa@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210510150659.17710-1-tiwai@suse.de Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- sound/usb/midi.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c index 4553db0ef0841..1ac8c84c3369a 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -1890,8 +1890,12 @@ static int snd_usbmidi_get_ms_info(struct snd_usb_midi *umidi, ms_ep = find_usb_ms_endpoint_descriptor(hostep); if (!ms_ep) continue; + if (ms_ep->bLength <= sizeof(*ms_ep)) + continue; if (ms_ep->bNumEmbMIDIJack > 0x10) continue; + if (ms_ep->bLength < sizeof(*ms_ep) + ms_ep->bNumEmbMIDIJack) + continue; if (usb_endpoint_dir_out(ep)) { if (endpoints[epidx].out_ep) { if (++epidx >= MIDI_MAX_ENDPOINTS) {