From 447d6275f0c21f6cc97a88b3a0c601436a4cdf2a Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Tue, 15 Mar 2016 15:20:58 +0100
Subject: [PATCH] ALSA: usb-audio: Add sanity checks for endpoint accesses
Patch-mainline: Queued in subsystem maintainer repository
Git-commit: 447d6275f0c21f6cc97a88b3a0c601436a4cdf2a
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
References: CVE-2016-2184,bsc#971125

Add some sanity check codes before actually accessing the endpoint via
get_endpoint() in order to avoid the invalid access through a
malformed USB descriptor.  Mostly just checking bNumEndpoints, but in
one place (snd_microii_spdif_default_get()), the validity of iface and
altsetting index is checked as well.

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

---
 sound/usb/clock.c |    2 ++
 sound/usb/pcm.c   |    2 ++
 2 files changed, 4 insertions(+)

--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -211,6 +211,8 @@ static int set_sample_rate_v1(struct snd
 	unsigned char data[3];
 	int err, crate;
 
+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
 	ep = get_endpoint(alts, 0)->bEndpointAddress;
 
 	/* if endpoint doesn't have sampling rate control, bail out */
--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
@@ -122,6 +122,8 @@ static int init_pitch_v1(struct snd_usb_
 	unsigned char data[1];
 	int err;
 
+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
 	ep = get_endpoint(alts, 0)->bEndpointAddress;
 
 	data[0] = 1;
