Re: [PATCH RESEND] ALSA: scarlett2: Fix buffer overflow in config retrieval

Next message: Eric Dumazet: "[PATCH] scripts/bloat-o-meter: ignore __noinstr_text_start"
Previous message: Takashi Iwai: "Re: [PATCH] alsa: usb: Increase volume range that triggers a warning"
In reply to: Samasth Norway Ananda: "[PATCH RESEND] ALSA: scarlett2: Fix buffer overflow in config retrieval"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Sat Jan 17 2026 - 03:33:17 EST

On Sat, 17 Jan 2026 02:27:06 +0100,
Samasth Norway Ananda wrote:
>
> The scarlett2_usb_get_config() function has a logic error in the
> endianness conversion code that can cause buffer overflows when
> count > 1.
>
> The code checks `if (size == 2)` where `size` is the total buffer size in
> bytes, then loops `count` times treating each element as u16 (2 bytes).
> This causes the loop to access `count * 2` bytes when the buffer only
> has `size` bytes allocated.
>
> Fix by checking the element size (config_item->size) instead of the
> total buffer size. This ensures the endianness conversion matches the
> actual element type.
>
> Fixes: ac34df733d2d ("ALSA: usb-audio: scarlett2: Update get_config to do endian conversion")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@xxxxxxxxxx>

Applied now. Thanks.

Takashi