USB: serial: mxuport: fix memory corruption with small endpoint

Make sure that the bulk-out endpoint max packet size is at least eight
bytes to avoid user-controlled slab corruption should a malicious device
report a smaller size.

Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX driver")
Cc: stable@vger.kernel.org	# 3.14
Cc: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>

diff --git a/drivers/usb/serial/mxuport.c b/drivers/usb/serial/mxuport.c
index ad5fdf55a02e18a57a86205a3b7943a26cf2fac5..c9b9928c473a4a3a41ad333881feb9cb1a7d7335 100644 (file)
--- a/drivers/usb/serial/mxuport.c
+++ b/drivers/usb/serial/mxuport.c
@@ -962,6 +962,14 @@ static int mxuport_calc_num_ports(struct usb_serial *serial,
         */
        BUILD_BUG_ON(ARRAY_SIZE(epds->bulk_out) < 16);
 
+       /*
+        * The bulk-out buffers must be large enough for the four-byte header
+        * (and following data), but assume anything smaller than eight bytes
+        * is broken.
+        */
+       if (usb_endpoint_maxp(epds->bulk_out[0]) < 8)
+               return -EINVAL;
+
        for (i = 1; i < num_ports; ++i)
                epds->bulk_out[i] = epds->bulk_out[0];