[PATCH 2/2] ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans

Next message: Dave Chinner: "Re: [PATCH] xfs: snapshot current CIL sequence under xc_push_lock"
Previous message: syyang: "[PATCH v5 1/2] dt-bindings: bridge: Add Lontium LT9611C(EX/UXD) MIPI DSI to HDMI driver"
In reply to: C&#xE1;ssio Gabriel: "[PATCH 1/2] ALSA: usb-audio: Bound MIDI endpoint descriptor scans"
Next in thread: Takashi Iwai: "Re: [PATCH 0/2] ALSA: usb-audio: Fix endpoint-extra bounds checks in USB MIDI parsers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Cássio Gabriel

Date: Wed May 06 2026 - 23:41:27 EST

The USB MIDI 2.0 endpoint parser has the same descriptor walking
pattern as the legacy MIDI parser. It validates bLength against
bNumGrpTrmBlock before reading baAssoGrpTrmBlkID[], but not against the
remaining bytes in the endpoint-extra scan.

A malformed device can therefore make later baAssoGrpTrmBlkID[] reads
consume bytes past the walked descriptor.

Reject zero-length and overlong descriptors while walking endpoint
extras.

Fixes: ff49d1df79ae ("ALSA: usb-audio: USB MIDI 2.0 UMP support")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@xxxxxxxxx>
---
sound/usb/midi2.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/sound/usb/midi2.c b/sound/usb/midi2.c
index 2785600d2312..04aeb9052f13 100644
--- a/sound/usb/midi2.c
+++ b/sound/usb/midi2.c
@@ -496,15 +496,17 @@ static void *find_usb_ms_endpoint_descriptor(struct usb_host_endpoint *hostep,
while (extralen > 3) {
struct usb_ms_endpoint_descriptor *ms_ep =
(struct usb_ms_endpoint_descriptor *)extra;
+ int length = ms_ep->bLength;

- if (ms_ep->bLength > 3 &&
+ if (!length || length > extralen)
+ break;
+
+ if (length > 3 &&
ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT &&
ms_ep->bDescriptorSubtype == subtype)
return ms_ep;
- if (!extra[0])
- break;
- extralen -= extra[0];
- extra += extra[0];
+ extralen -= length;
+ extra += length;
}
return NULL;
}

--
2.54.0