Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp6571017ybx; Mon, 11 Nov 2019 11:08:05 -0800 (PST) X-Google-Smtp-Source: APXvYqzzw+ILzAr83ZQZaLdIOMIgniFKho/ttl8827/PUY72SSbjN9k4u6pYIf6qbDDJfsWiXtjO X-Received: by 2002:a17:906:80c:: with SMTP id e12mr24737045ejd.59.1573499284999; Mon, 11 Nov 2019 11:08:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573499284; cv=none; d=google.com; s=arc-20160816; b=LMf+YMyqsItKP01YaiAqc9KokTJOIJO/OIJjLcmzd22g7Aq2fLCNarPm2CcQmV1D1+ W3DXZAi9a2WBOn5hEc1KknGpNNB4hLiUWcAEfTE2ZbvRLr0ae44IT+bM7DvGW1FEfOW8 iGoe0idACbr6GOPDUml7ES+sg1tgK+E0K/bA0zZ+zNC8bEue99nWhdmxq0vNlOx9Wuck pwPK0fSeMaGRk4NbPFZh5rzsbonVdYP0zrv0vF7Qp9EdfPMI5AquvBVmrqsYPg9UKXss Xm736yieL8XKDKtrmIh6ItXk4kkKtAnwMkMLovJ3HggAbpCifimkZqKKoQO5cQtOeK30 vTYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=08/0TJ/hESINlYHc11myyTBcHYQjuHRwVYEhE4lBVwk=; b=git6GGNDhu8Q6dBX5m/6y19zrpJnE1/eNCEgf1dssuQPG3Jp0iih+gOpAixXgWYjQk n6J02GbdKVgFBcD/BzHZxSI9qD6LqTHS3zgSghY2z+Rf8nutx1BTClXIfDca/Ce/4wxt ozGynjp/9wiPM10lnCTS+izdib6vzEnduqzWqUpRcgBG81FZ6+6bDrkMsn9RoTtgkDiT kBaPvNvdQabPntslKAIXAfUeebtloFgAx+d1C47ofLO39DC+bWFkMeD3bqtBcVV8hTk0 Gh3q+Vrfy/i1YoIHAm9u/WLZxZncwhrBME7CYHDjUELbLs/vzHjSOxwlvEX8U9YMczy5 xH8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ORQeLjbr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j26si9335764ejy.246.2019.11.11.11.07.39; Mon, 11 Nov 2019 11:08:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ORQeLjbr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729611AbfKKSnX (ORCPT + 99 others); Mon, 11 Nov 2019 13:43:23 -0500 Received: from mail.kernel.org ([198.145.29.99]:34528 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728300AbfKKSnS (ORCPT ); Mon, 11 Nov 2019 13:43:18 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7A50721783; Mon, 11 Nov 2019 18:43:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1573497797; bh=QiTlitfYGxD2rq2OwiN44AMkLuoCVAPxbQZCfxigeZQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ORQeLjbrKPbC45kdqtskSQERFm27ITPu8qKc3W59JoY1yAy2XNrQMHq+ygFZJc3qt i2fOtnXnjmGdgL1zXTegzHN9u7EHVwJYDm0/+THA+LWciejlygVI3PrKsbJnKFt4Fj 3Y7LRMar2wS20YMtWCZVQKBL0Te1Pe4aPcwtqzB0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai Subject: [PATCH 4.19 060/125] ALSA: usb-audio: Remove superfluous bLength checks Date: Mon, 11 Nov 2019 19:28:19 +0100 Message-Id: <20191111181448.330781223@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191111181438.945353076@linuxfoundation.org> References: <20191111181438.945353076@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a upstream. Now that we got the more comprehensive validation code for USB-audio descriptors, the check of overflow in each descriptor unit parser became superfluous. Drop some of the obvious cases. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/usb/clock.c | 14 +++------ sound/usb/mixer.c | 84 ------------------------------------------------------ 2 files changed, 6 insertions(+), 92 deletions(-) --- a/sound/usb/clock.c +++ b/sound/usb/clock.c @@ -52,39 +52,37 @@ static void *find_uac_clock_desc(struct static bool validate_clock_source_v2(void *p, int id) { struct uac_clock_source_descriptor *cs = p; - return cs->bLength == sizeof(*cs) && cs->bClockID == id; + return cs->bClockID == id; } static bool validate_clock_source_v3(void *p, int id) { struct uac3_clock_source_descriptor *cs = p; - return cs->bLength == sizeof(*cs) && cs->bClockID == id; + return cs->bClockID == id; } static bool validate_clock_selector_v2(void *p, int id) { struct uac_clock_selector_descriptor *cs = p; - return cs->bLength >= sizeof(*cs) && cs->bClockID == id && - cs->bLength == 7 + cs->bNrInPins; + return cs->bClockID == id; } static bool validate_clock_selector_v3(void *p, int id) { struct uac3_clock_selector_descriptor *cs = p; - return cs->bLength >= sizeof(*cs) && cs->bClockID == id && - cs->bLength == 11 + cs->bNrInPins; + return cs->bClockID == id; } static bool validate_clock_multiplier_v2(void *p, int id) { struct uac_clock_multiplier_descriptor *cs = p; - return cs->bLength == sizeof(*cs) && cs->bClockID == id; + return cs->bClockID == id; } static bool validate_clock_multiplier_v3(void *p, int id) { struct uac3_clock_multiplier_descriptor *cs = p; - return cs->bLength == sizeof(*cs) && cs->bClockID == id; + return cs->bClockID == id; } #define DEFINE_FIND_HELPER(name, obj, validator, type) \ --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -755,13 +755,6 @@ static int uac_mixer_unit_get_channels(s { int mu_channels; - if (desc->bLength < sizeof(*desc)) - return -EINVAL; - if (!desc->bNrInPins) - return -EINVAL; - if (desc->bLength < sizeof(*desc) + desc->bNrInPins) - return -EINVAL; - switch (state->mixer->protocol) { case UAC_VERSION_1: case UAC_VERSION_2: @@ -1796,13 +1789,6 @@ static int parse_clock_source_unit(struc if (state->mixer->protocol != UAC_VERSION_2) return -EINVAL; - if (hdr->bLength != sizeof(*hdr)) { - usb_audio_dbg(state->chip, - "Bogus clock source descriptor length of %d, ignoring.\n", - hdr->bLength); - return 0; - } - /* * The only property of this unit we are interested in is the * clock source validity. If that isn't readable, just bail out. @@ -1861,62 +1847,20 @@ static int parse_audio_feature_unit(stru __u8 *bmaControls; if (state->mixer->protocol == UAC_VERSION_1) { - if (hdr->bLength < 7) { - usb_audio_err(state->chip, - "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", - unitid); - return -EINVAL; - } csize = hdr->bControlSize; - if (!csize) { - usb_audio_dbg(state->chip, - "unit %u: invalid bControlSize == 0\n", - unitid); - return -EINVAL; - } channels = (hdr->bLength - 7) / csize - 1; bmaControls = hdr->bmaControls; - if (hdr->bLength < 7 + csize) { - usb_audio_err(state->chip, - "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", - unitid); - return -EINVAL; - } } else if (state->mixer->protocol == UAC_VERSION_2) { struct uac2_feature_unit_descriptor *ftr = _ftr; - if (hdr->bLength < 6) { - usb_audio_err(state->chip, - "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", - unitid); - return -EINVAL; - } csize = 4; channels = (hdr->bLength - 6) / 4 - 1; bmaControls = ftr->bmaControls; - if (hdr->bLength < 6 + csize) { - usb_audio_err(state->chip, - "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", - unitid); - return -EINVAL; - } } else { /* UAC_VERSION_3 */ struct uac3_feature_unit_descriptor *ftr = _ftr; - if (hdr->bLength < 7) { - usb_audio_err(state->chip, - "unit %u: invalid UAC3_FEATURE_UNIT descriptor\n", - unitid); - return -EINVAL; - } csize = 4; channels = (ftr->bLength - 7) / 4 - 1; bmaControls = ftr->bmaControls; - if (hdr->bLength < 7 + csize) { - usb_audio_err(state->chip, - "unit %u: invalid UAC3_FEATURE_UNIT descriptor\n", - unitid); - return -EINVAL; - } } /* parse the source unit */ @@ -2120,15 +2064,11 @@ static int parse_audio_input_terminal(st if (state->mixer->protocol == UAC_VERSION_2) { struct uac2_input_terminal_descriptor *d_v2 = raw_desc; - if (d_v2->bLength < sizeof(*d_v2)) - return -EINVAL; control = UAC2_TE_CONNECTOR; term_id = d_v2->bTerminalID; bmctls = le16_to_cpu(d_v2->bmControls); } else if (state->mixer->protocol == UAC_VERSION_3) { struct uac3_input_terminal_descriptor *d_v3 = raw_desc; - if (d_v3->bLength < sizeof(*d_v3)) - return -EINVAL; control = UAC3_TE_INSERTION; term_id = d_v3->bTerminalID; bmctls = le32_to_cpu(d_v3->bmControls); @@ -2390,18 +2330,7 @@ static int build_audio_procunit(struct m const char *name = extension_unit ? "Extension Unit" : "Processing Unit"; - if (desc->bLength < 13) { - usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid); - return -EINVAL; - } - num_ins = desc->bNrInPins; - if (desc->bLength < 13 + num_ins || - desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) { - usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid); - return -EINVAL; - } - for (i = 0; i < num_ins; i++) { err = parse_audio_unit(state, desc->baSourceID[i]); if (err < 0) @@ -2656,13 +2585,6 @@ static int parse_audio_selector_unit(str const struct usbmix_name_map *map; char **namelist; - if (desc->bLength < 5 || !desc->bNrInPins || - desc->bLength < 5 + desc->bNrInPins) { - usb_audio_err(state->chip, - "invalid SELECTOR UNIT descriptor %d\n", unitid); - return -EINVAL; - } - for (i = 0; i < desc->bNrInPins; i++) { err = parse_audio_unit(state, desc->baSourceID[i]); if (err < 0) @@ -3168,8 +3090,6 @@ static int snd_usb_mixer_controls(struct if (mixer->protocol == UAC_VERSION_1) { struct uac1_output_terminal_descriptor *desc = p; - if (desc->bLength < sizeof(*desc)) - continue; /* invalid descriptor? */ /* mark terminal ID as visited */ set_bit(desc->bTerminalID, state.unitbitmap); state.oterm.id = desc->bTerminalID; @@ -3181,8 +3101,6 @@ static int snd_usb_mixer_controls(struct } else if (mixer->protocol == UAC_VERSION_2) { struct uac2_output_terminal_descriptor *desc = p; - if (desc->bLength < sizeof(*desc)) - continue; /* invalid descriptor? */ /* mark terminal ID as visited */ set_bit(desc->bTerminalID, state.unitbitmap); state.oterm.id = desc->bTerminalID; @@ -3208,8 +3126,6 @@ static int snd_usb_mixer_controls(struct } else { /* UAC_VERSION_3 */ struct uac3_output_terminal_descriptor *desc = p; - if (desc->bLength < sizeof(*desc)) - continue; /* invalid descriptor? */ /* mark terminal ID as visited */ set_bit(desc->bTerminalID, state.unitbitmap); state.oterm.id = desc->bTerminalID;