Commit 3c318f97 authored by Cássio Gabriel's avatar Cássio Gabriel Committed by Takashi Iwai
Browse files

ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES 



parse_uac2_sample_rate_range() caps the number of enumerated
rates at MAX_NR_RATES, but it only breaks out of the current
rate loop. A malformed UAC2 RANGE response with additional
triplets continues parsing the remaining triplets and repeatedly
prints "invalid uac2 rates" while probe still holds
register_mutex.

Stop the whole parse once the cap is reached and return the
number of rates collected so far.

Fixes: 4fa0e81b ("ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range()")
Cc: stable@vger.kernel.org
Reported-by: default avatar <syzbot+d56178c27a4710960820@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=d56178c27a4710960820


Signed-off-by: default avatarCássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260415-usb-audio-uac2-rate-cap-v1-1-5ecbafc120d8@gmail.com


Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent eb90ae3c

sound/usb/format.c

+1 −1
Original line number Diff line number Diff line
@@ -470,7 +470,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, 
			nr_rates++;

			if (nr_rates >= MAX_NR_RATES) {

				usb_audio_err(chip, "invalid uac2 rates\n");

				break;

				return nr_rates;

			}



skip_rate: