[PATCH 02/11][CVE-2016-2184] ALSA: usb-audio: Add sanity checks for endpoint accesses

[Luis Henriques]

From: Takashi Iwai <tiwai at suse.de>

commit 447d6275f0c21f6cc97a88b3a0c601436a4cdf2a upstream.

Add some sanity check codes before actually accessing the endpoint via
get_endpoint() in order to avoid the invalid access through a
malformed USB descriptor.  Mostly just checking bNumEndpoints, but in
one place (snd_microii_spdif_default_get()), the validity of iface and
altsetting index is checked as well.

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
Signed-off-by: Takashi Iwai <tiwai at suse.de>
[bwh: Backported to 3.2: drop changes to code we don't have]
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
CVE-2016-2184
BugLink: https://bugs.launchpad.net/bugs/1561409
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 sound/usb/clock.c | 2 ++
 sound/usb/pcm.c   | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index 5e634a2eb282..4c01f877227c 100644
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -211,6 +211,8 @@ static int set_sample_rate_v1(struct snd_usb_audio *chip, int iface,
 	unsigned char data[3];
 	int err, crate;
 
+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
 	ep = get_endpoint(alts, 0)->bEndpointAddress;
 
 	/* if endpoint doesn't have sampling rate control, bail out */
diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
index 983e0719f923..d5cdf1fc051a 100644
--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
@@ -148,6 +148,8 @@ static int init_pitch_v1(struct snd_usb_audio *chip, int iface,
 	unsigned char data[1];
 	int err;
 
+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
 	ep = get_endpoint(alts, 0)->bEndpointAddress;
 
 	data[0] = 1;