1. Patchew
  2. linux
  3. View series

[PATCH] ALSA: ua101: Reject too-short USB descriptors

Cássio Gabriel posted 1 patch 5 days, 23 hours ago 
sound/usb/misc/ua101.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
[PATCH] ALSA: ua101: Reject too-short USB descriptors
Posted by Cássio Gabriel 5 days, 23 hours ago 
find_format_descriptor() walks the class-specific interface extras by
advancing with bLength. It rejects descriptors that extend past the
remaining buffer, but it does not reject descriptor lengths smaller than
a USB descriptor header.

Reject too-short descriptors before using bLength to advance the local
scan. This keeps the UA-101 parser robust against malformed descriptor
data and matches the usual USB descriptor walking rules.

Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
---
 sound/usb/misc/ua101.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sound/usb/misc/ua101.c b/sound/usb/misc/ua101.c
index d129b42eb979..b9a62e94e06c 100644
--- a/sound/usb/misc/ua101.c
+++ b/sound/usb/misc/ua101.c
@@ -894,8 +894,9 @@ find_format_descriptor(struct usb_interface *interface)
 		struct uac_format_type_i_discrete_descriptor *desc;
 
 		desc = (struct uac_format_type_i_discrete_descriptor *)extra;
-		if (desc->bLength > extralen) {
-			dev_err(&interface->dev, "descriptor overflow\n");
+		if (desc->bLength < sizeof(struct usb_descriptor_header) ||
+		    desc->bLength > extralen) {
+			dev_err(&interface->dev, "invalid descriptor length\n");
 			return NULL;
 		}
 		if (desc->bLength == UAC_FORMAT_TYPE_I_DISCRETE_DESC_SIZE(1) &&

---
base-commit: 7c94f5e77906abd7b9ba81875ae238c802a187cb
change-id: 20260429-alsa-ua101-desc-len-7c4708724604

Best regards,
--  
Cássio Gabriel <cassiogabrielcontato@gmail.com>
Re: [PATCH] ALSA: ua101: Reject too-short USB descriptors
Posted by Takashi Iwai 5 days, 20 hours ago 
On Tue, 19 May 2026 05:32:15 +0200,
Cássio Gabriel wrote:
> 
> find_format_descriptor() walks the class-specific interface extras by
> advancing with bLength. It rejects descriptors that extend past the
> remaining buffer, but it does not reject descriptor lengths smaller than
> a USB descriptor header.
> 
> Reject too-short descriptors before using bLength to advance the local
> scan. This keeps the UA-101 parser robust against malformed descriptor
> data and matches the usual USB descriptor walking rules.
> 
> Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
> Cc: stable@vger.kernel.org
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>

Applied now.  Thanks.


Takashi

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.