Skip to content

Commit e1e31e0

Browse files
Radon10043tiwai
authored andcommitted
ALSA: FCP: Fix NULL pointer dereference in interface lookup
A malformed USB device can provide a vendor-specific interface without any endpoint descriptors. fcp_find_fc_interface() currently selects the first vendor-specific interface and reads endpoint 0 from it, without checking whether the interface actually has any endpoints. When bNumEndpoints is zero, no endpoint array is allocated for the parsed alternate setting, so get_endpoint(..., 0) yields an invalid endpoint descriptor pointer. Dereferencing it through usb_endpoint_num() then triggers a NULL pointer dereference. Skip vendor-specific interfaces that do not have any endpoints. Fixes: 46757a3 ("ALSA: FCP: Add Focusrite Control Protocol driver") Reported-by: Jiaming Zhang <r772577952@gmail.com> Closes: https://lore.kernel.org/lkml/CANypQFb1EHj0xX8bA1WxSOSK-5xca6ZNKzOQcp12=s=puY7VFw@mail.gmail.com/ Signed-off-by: Jiaming Zhang <r772577952@gmail.com> Link: https://patch.msgid.link/20260625134933.425785-1-r772577952@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
1 parent 9dbbe81 commit e1e31e0

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

sound/usb/fcp.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1083,6 +1083,8 @@ static int fcp_find_fc_interface(struct usb_mixer_interface *mixer)
10831083

10841084
if (desc->bInterfaceClass != 255)
10851085
continue;
1086+
if (desc->bNumEndpoints < 1)
1087+
continue;
10861088

10871089
epd = get_endpoint(intf->altsetting, 0);
10881090
private->bInterfaceNumber = desc->bInterfaceNumber;

0 commit comments

Comments
 (0)