From: Johan Hovold <jo...@kernel.org>

commit e7b931bee739e8a77ae216e613d3b99342b6dec0 upstream.

The driver would happily overwrite its write buffer with user data in
256 byte increments due to a removed buffer-space sanity check.

Fixes: 5fcf62b0f1f2 ("tty: iuu_phoenix: fix locking.")
Cc: stable <sta...@vger.kernel.org>     # 2.6.31
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 drivers/usb/serial/iuu_phoenix.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/usb/serial/iuu_phoenix.c
+++ b/drivers/usb/serial/iuu_phoenix.c
@@ -697,14 +697,16 @@ static int iuu_uart_write(struct tty_str
        struct iuu_private *priv = usb_get_serial_port_data(port);
        unsigned long flags;
 
-       if (count > 256)
-               return -ENOMEM;
-
        spin_lock_irqsave(&priv->lock, flags);
 
+       count = min(count, 256 - priv->writelen);
+       if (count == 0)
+               goto out;
+
        /* fill the buffer */
        memcpy(priv->writebuf + priv->writelen, buf, count);
        priv->writelen += count;
+out:
        spin_unlock_irqrestore(&priv->lock, flags);
 
        return count;


Reply via email to