git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Pengpeng Hou <pengpeng@iscas.ac.cn>
	Thu, 2 Apr 2026 05:40:15 +0000 (13:40 +0800)
committer	Jonathan Cameron <jic23@kernel.org>
	Tue, 28 Apr 2026 15:36:08 +0000 (16:36 +0100)
commit	673478bc29cf72010faaf293c1c8c667393335a0
tree	4f317e8c00c5df308307b197c236871721f669eb	tree \| snapshot
parent	852534744c2d35626a604f128ff0b8ec12805591	commit \| diff

iio: chemical: mhz19b: reject oversized serial replies

mhz19b_receive_buf() appends each serdev chunk into the fixed
MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
checking that the chunk fits in the remaining space. A large callback
can therefore overflow st->buf before the command path validates the
reply.

Reset the reply state before each command and reject oversized serial
replies before copying them into the fixed buffer. When an oversized
reply is detected, wake the waiter and report -EMSGSIZE instead of
overwriting st->buf.

Fixes: 4572a70b3681 ("iio: chemical: Add support for Winsen MHZ19B CO2 sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Acked-by: Gyeyoung Baek <gye976@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>