git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 23 Feb 2026 16:51:17 +0000 (17:51 +0100)
committer	Marc Kleine-Budde <mkl@pengutronix.de>
	Mon, 2 Mar 2026 10:03:42 +0000 (11:03 +0100)
commit	38a01c9700b0dcafe97dfa9dc7531bf4a245deff
tree	00391d662f5ec0f9e3915a0f0863a43140f351f6	tree \| snapshot
parent	968b098220e393a10488b6a5dddb302b2eaedf66	commit \| diff

can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message

When looking at the data in a USB urb, the actual_length is the size of
the buffer passed to the driver, not the transfer_buffer_length which is
set by the driver as the max size of the buffer.

When parsing the messages in ems_usb_read_bulk_callback() properly check
the size both at the beginning of parsing the message to make sure it is
big enough for the expected structure, and at the end of the message to
make sure we don't overflow past the end of the buffer for the next
message.

Cc: Vincent Mailhol <mailhol@kernel.org>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022316-answering-strainer-a5db@gregkh
Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>