1. Patchew
  2. linux
  3. View series

[PATCH] ALSA: usb-audio: Fix UAC3 cluster descriptor size check

Cássio Gabriel posted 1 patch 1 month, 3 weeks ago 
sound/usb/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] ALSA: usb-audio: Fix UAC3 cluster descriptor size check
Posted by Cássio Gabriel 1 month, 3 weeks ago 
The UAC3 cluster descriptor length check in
snd_usb_get_audioformat_uac3()was added to
make sure that the buffer is large enough for
a struct uac3_cluster_header_descriptor before the
returned data is cast and used.

However, the check uses sizeof(cluster), where cluster
is a pointer, not the size of the descriptor header.
This makes the validation depend on the architecture
pointer size and does not match the intended object size.

Check against sizeof(*cluster) instead.

Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
---
 sound/usb/stream.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index 2532bf97e05e..6c51226f771b 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -1003,7 +1003,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
 	 * and request Cluster Descriptor
 	 */
 	wLength = le16_to_cpu(hc_header.wLength);
-	if (wLength < sizeof(cluster))
+	if (wLength < sizeof(*cluster))
 		return NULL;
 	cluster = kzalloc(wLength, GFP_KERNEL);
 	if (!cluster)

---
base-commit: 876c495d412ef67bd4d0bdc4b74b0bd3d9f4e890
change-id: 20260424-alsa-usb-uac3-cluster-size-4b87d633076a

Best regards,
--  
Cássio Gabriel <cassiogabrielcontato@gmail.com>
Re: [PATCH] ALSA: usb-audio: Fix UAC3 cluster descriptor size check
Posted by Takashi Iwai 1 month, 3 weeks ago 
On Fri, 24 Apr 2026 23:50:10 +0200,
Cássio Gabriel wrote:
> 
> The UAC3 cluster descriptor length check in
> snd_usb_get_audioformat_uac3()was added to
> make sure that the buffer is large enough for
> a struct uac3_cluster_header_descriptor before the
> returned data is cast and used.
> 
> However, the check uses sizeof(cluster), where cluster
> is a pointer, not the size of the descriptor header.
> This makes the validation depend on the architecture
> pointer size and does not match the intended object size.
> 
> Check against sizeof(*cluster) instead.
> 
> Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>

Applied now.  Thanks.


Takashi

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.