[PATCH 0/2] ALSA: caiaq: fix S4 OOB read and bound the EP1 input parsers

[Maoyi Xie]

Hi Takashi,

Thanks for confirming the Traktor Kontrol S4 out-of-bounds read and for
the follow-up on the neighbouring parsers.

Patch 1 is the actual fix. snd_usb_caiaq_tks4_dispatch() loops on the raw
urb->actual_length. That value is controlled by the device and is not
required to be a multiple of the 16-byte message block. Once len drops
below 16 the unsigned "len -= TKS4_MSGBLOCK_SIZE" underflows. The loop
then keeps walking buf past ep4_in_buf[EP4_BUFSIZE]. The fix iterates
only while a full block remains, which also discards any trailing partial
block. The X1 and Maschine arms already floor the length before dispatch,
so only the S4 arm was affected.

Patch 2 adds the length checks you suggested to
snd_caiaq_input_read_erp() and snd_caiaq_input_read_io(). Both are
reachable through snd_usb_caiaq_input_dispatch(). As you noted,
snd_caiaq_input_read_analog() and snd_usb_caiaq_maschine_dispatch()
already have the length floored by their callers, so they are left
unchanged. The two parsers patch 2 touches are not an out-of-bounds
access either. Every offset is a fixed driver constant within the 64-byte
ep1_in_buf. A short reply does make them decode stale data, though, so the
guards drop such replies per device path. Patch 2 carries your
Suggested-by.

Patch 1 carries a Fixes tag and Cc: stable. Patch 2 does not.

Maoyi Xie (2):
  ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input
    parser
  ALSA: caiaq: bound the length in the EP1 input parsers

 sound/usb/caiaq/input.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

-- 
2.34.1