USB: serial: mct_u232: fix memory corruption with small endpoint

The driver overrides the maximum transfer size for a specific device
which only accepts 16 byte packets for its 32 byte bulk-out endpoint.

Make sure to never increase the maximum transfer size to prevent slab
corruption should a malicious device report a smaller endpoint max
packet size than expected.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>

diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index 18844b92bd0886aed16649dab333efe4100f4cbe..ca1530da6e77145d7f03739f9bd22be1c6c0187b 100644 (file)
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
 {
        struct usb_serial *serial = port->serial;
        struct mct_u232_private *priv;
+       u16 pid;
 
        /* check first to simplify error handling */
        if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
                return -ENODEV;
        }
 
+       /*
+        * Compensate for a hardware bug: although the Sitecom U232-P25
+        * device reports a maximum output packet size of 32 bytes,
+        * it seems to be able to accept only 16 bytes (and that's what
+        * SniffUSB says too...)
+        */
+       pid = le16_to_cpu(serial->dev->descriptor.idProduct);
+       if (pid == MCT_U232_SITECOM_PID)
+               port->bulk_out_size = min(16, port->bulk_out_size);
+
        priv = kzalloc_obj(*priv);
        if (!priv)
                return -ENOMEM;
@@ -410,7 +421,6 @@ static void mct_u232_port_remove(struct usb_serial_port *port)
 
 static int  mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
 {
-       struct usb_serial *serial = port->serial;
        struct mct_u232_private *priv = usb_get_serial_port_data(port);
        int retval = 0;
        unsigned int control_state;
@@ -418,15 +428,6 @@ static int  mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
        unsigned char last_lcr;
        unsigned char last_msr;
 
-       /* Compensate for a hardware bug: although the Sitecom U232-P25
-        * device reports a maximum output packet size of 32 bytes,
-        * it seems to be able to accept only 16 bytes (and that's what
-        * SniffUSB says too...)
-        */
-       if (le16_to_cpu(serial->dev->descriptor.idProduct)
-                                               == MCT_U232_SITECOM_PID)
-               port->bulk_out_size = 16;
-
        /* Do a defined restart: the normal serial device seems to
         * always turn on DTR and RTS here, so do the same. I'm not
         * sure if this is really necessary. But it should not harm