USB: serial: cypress_m8: fix memory corruption with small endpoint

Make sure that the interrupt-out endpoint max packet size is at least
eight bytes to avoid user-controlled slab corruption or NULL-pointer
dereference should a malicious device report a smaller size.

Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@vger.kernel.org	# 2.6.26
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>

diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
index afff1a0f4298b7807fb9b31e4b982b71bc21b9d5..0b8a4e9d7bc5621e37ad0870bf6b22f3b6ce32b3 100644 (file)
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -445,6 +445,14 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
                return -ENODEV;
        }
 
+       /*
+        * The buffer must be large enough for the one or two-byte header (and
+        * following data), but assume anything smaller than eight bytes is
+        * broken.
+        */
+       if (port->interrupt_out_size < 8)
+               return -EINVAL;
+
        priv = kzalloc_obj(struct cypress_private);
        if (!priv)
                return -ENOMEM;