]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 915b36d)
USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
authorJohan Hovold <johan@kernel.org>
Wed, 20 May 2026 14:27:10 +0000 (16:27 +0200)
committerJohan Hovold <johan@kernel.org>
Wed, 20 May 2026 14:27:10 +0000 (16:27 +0200)
Add the missing sanity check on the size of interrupt-in transfers to
avoid parsing stale or uninitialised slab data (and leaking it to user
space).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
drivers/usb/serial/mct_u232.c patch | blob | blame | history

diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index ca1530da6e77145d7f03739f9bd22be1c6c0187b..163161881d2d24ce3a7e5f397a160b9e83b48574 100644 (file)
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -544,6 +544,11 @@ static void mct_u232_read_int_callback(struct urb *urb)
                goto exit;
        }
 
+       if (urb->actual_length < 2) {
+               dev_warn_ratelimited(&port->dev, "short interrupt-in packet\n");
+               goto exit;
+       }
+
        /*
         * The interrupt-in pipe signals exceptional conditions (modem line
         * signal changes and errors). data[0] holds MSR, data[1] holds LSR.
A mirror of Linus' kernel repository