From: Johan Hovold <johan@kernel.org>
Date: Wed, 20 May 2026 14:27:10 +0000 (+0200)
Subject: USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
X-Git-Tag: v7.1-rc6~9^2^2~7
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=245aba83e3c288e176ed037a1f6b618b09e92ed8;p=thirdparty%2Fkernel%2Flinux.git

USB: serial: mct_u232: fix missing interrupt-in transfer sanity check

Add the missing sanity check on the size of interrupt-in transfers to
avoid parsing stale or uninitialised slab data (and leaking it to user
space).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
---

diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index ca1530da6e77..163161881d2d 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -544,6 +544,11 @@ static void mct_u232_read_int_callback(struct urb *urb)
 		goto exit;
 	}
 
+	if (urb->actual_length < 2) {
+		dev_warn_ratelimited(&port->dev, "short interrupt-in packet\n");
+		goto exit;
+	}
+
 	/*
 	 * The interrupt-in pipe signals exceptional conditions (modem line
 	 * signal changes and errors). data[0] holds MSR, data[1] holds LSR.