Re: [PATCH 3/3] USB: serial: keyspan_pda: fix receive sanity checks

Tue, 31 Jan 2017 08:43:34 -0800 

On Tue, Jan 31, 2017 at 05:17:29PM +0100, Johan Hovold wrote:
> Make sure to check for short transfers before parsing the receive buffer
> to avoid acting on stale data.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Johan Hovold <jo...@kernel.org>
> ---
>  drivers/usb/serial/keyspan_pda.c | 19 ++++++++++++++-----
>  1 file changed, 14 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/usb/serial/keyspan_pda.c 
> b/drivers/usb/serial/keyspan_pda.c
> index 83523fcf6fb9..d2dab2a341b8 100644
> --- a/drivers/usb/serial/keyspan_pda.c
> +++ b/drivers/usb/serial/keyspan_pda.c
> @@ -139,6 +139,7 @@ static void keyspan_pda_rx_interrupt(struct urb *urb)
>  {
>       struct usb_serial_port *port = urb->context;
>       unsigned char *data = urb->transfer_buffer;
> +     unsigned int len = urb->actual_length;
>       int retval;
>       int status = urb->status;
>       struct keyspan_pda_private *priv;
> @@ -159,18 +160,26 @@ static void keyspan_pda_rx_interrupt(struct urb *urb)
>               goto exit;
>       }
>  
> +     if (len < 1) {
> +             dev_warn(&port->dev, "short message received\n");
> +             goto exit;
> +     }
> +
>       /* see if the message is data or a status interrupt */
>       switch (data[0]) {
>       case 0:
>                /* rest of message is rx data */
> -             if (urb->actual_length) {
> -                     tty_insert_flip_string(&port->port, data + 1,
> -                                             urb->actual_length - 1);
> -                     tty_flip_buffer_push(&port->port);
> -             }
> +             if (len < 2)
> +                     break;
> +             tty_insert_flip_string(&port->port, data + 1, len - 1);
> +             tty_flip_buffer_push(&port->port);
>               break;
>       case 1:
>               /* status interrupt */
> +             if (len < 3) {
> +                     dev_warn(&port->dev, "short interrupt message 
> received\n");
> +                     break;
> +             }
>               dev_dbg(&port->dev, "rx int, d1=%d, d2=%d\n", data[1], data[2]);
>               switch (data[1]) {
>               case 1: /* modemline change */
> -- 
> 2.10.2

Reviewed-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to