USB: serial: keyspan: fix missing indat transfer sanity check

Add the missing sanity check on the size of usa49wg indat transfers to
avoid parsing stale or uninitialised slab data.

Fixes: 0ca1268e109a ("USB Serial Keyspan: add support for USA-49WG & USA-28XG")
Cc: stable@vger.kernel.org	# 2.6.23
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>

diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
index 46448843541ae2fa19ff019f4f697a53d703aed7..28b80607cebd24d27c422dff440951aad65bd58a 100644 (file)
--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -1187,6 +1187,10 @@ static void usa49wg_indat_callback(struct urb *urb)
        len = 0;
 
        while (i < urb->actual_length) {
+               if (urb->actual_length - i < 3) {
+                       dev_warn_ratelimited(&urb->dev->dev, "malformed indat packet\n");
+                       break;
+               }
 
                /* Check port number from message */
                if (data[i] >= serial->num_ports) {