Re: [PATCH] ALSA: usb-audio: Fix UAC3 cluster descriptor size check

Next message: Geert Uytterhoeven: "[PATCH] m68k: defconfig: Update defconfigs for v7.1-rc1"
Previous message: Florian Fuchs: "[PATCH v2 1/3] mtd: maps: vmu-flash: fix build error due to missing include of linux/device.h"
In reply to: C&#xE1;ssio Gabriel: "[PATCH] ALSA: usb-audio: Fix UAC3 cluster descriptor size check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Mon Apr 27 2026 - 07:57:17 EST

On Fri, 24 Apr 2026 23:50:10 +0200,
Cássio Gabriel wrote:
>
> The UAC3 cluster descriptor length check in
> snd_usb_get_audioformat_uac3()was added to
> make sure that the buffer is large enough for
> a struct uac3_cluster_header_descriptor before the
> returned data is cast and used.
>
> However, the check uses sizeof(cluster), where cluster
> is a pointer, not the size of the descriptor header.
> This makes the validation depend on the architecture
> pointer size and does not match the intended object size.
>
> Check against sizeof(*cluster) instead.
>
> Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@xxxxxxxxx>

Applied now. Thanks.

Takashi