ALSA: line6: fix stack overflow in line6_midi_transmit

commit b8800d324abb50160560c636bfafe2c81001b66c upstream.

Correctly calculate available space including the size of the chunk
buffer. This fixes a buffer overflow when multiple MIDI sysex
messages are sent to a PODxt device.

Signed-off-by: Artem Egorkine <arteme@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221225105728.1153989-2-arteme@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/sound/usb/line6/midi.c b/sound/usb/line6/midi.c
index d52355de2bbc023a7268a3dcdf1539154c747619..0838632c788e4a120c50a20db56ff75d69e1ed77 100644 (file)
--- a/sound/usb/line6/midi.c
+++ b/sound/usb/line6/midi.c
@@ -44,7 +44,8 @@ static void line6_midi_transmit(struct snd_rawmidi_substream *substream)
        int req, done;
 
        for (;;) {
-               req = min(line6_midibuf_bytes_free(mb), line6->max_packet_size);
+               req = min3(line6_midibuf_bytes_free(mb), line6->max_packet_size,
+                          LINE6_FALLBACK_MAXPACKETSIZE);
                done = snd_rawmidi_transmit_peek(substream, chunk, req);
 
                if (done == 0)