Re: [PATCH 0/2] ALSA: usb-audio: Fix endpoint-extra bounds checks in USB MIDI parsers

Next message: Peter Griffin: "Re: [PATCH v3 1/2] dt-bindings: mailbox: google,gs101-mbox: Add samsung,exynos850-mbox"
Previous message: Md Shofiqul Islam: "[PATCH] block: Fix typo in comment"
In reply to: C&#xE1;ssio Gabriel: "[PATCH 2/2] ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Thu May 07 2026 - 07:07:34 EST

On Thu, 07 May 2026 05:40:50 +0200,
Cássio Gabriel wrote:
>
> Both the legacy USB MIDI and USB MIDI 2.0 endpoint descriptor
> walkers can return a class-specific endpoint descriptor without
> first checking that bLength fits in the remaining endpoint-extra
> scan.
>
> The later parsers validate the internal flexible-array sizes
> before reading baAssocJackID[] or baAssoGrpTrmBlkID[], but they
> still trust the descriptor returned by the walker. A malformed
> device can therefore make the parser consume bytes past
> the walked descriptor span.
>
> - Patch 1 bounds the legacy MIDI endpoint descriptor walk.
> - Patch 2 applies the same fix to the MIDI 2.0 endpoint descriptor walk.
>
> No behavior changes for valid devices; malformed endpoint-extra descriptors
> are now rejected during parsing instead.
>
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@xxxxxxxxx>
> ---
> Cássio Gabriel (2):
> ALSA: usb-audio: Bound MIDI endpoint descriptor scans
> ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans

Applied both to for-linus branch now. Thanks.

Takashi