[PATCH 3/5] USB: serial: io_edgeport: add missing active-port sanity check

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Johan Hovold <johan@kernel.org>
To: Johan Hovold <johan@kernel.org>
Cc: linux-usb@vger.kernel.org, stable <stable@vger.kernel.org>
Subject: [PATCH 3/5] USB: serial: io_edgeport: add missing active-port sanity check
Date: Fri, 17 Jan 2020 10:50:24 +0100	[thread overview]
Message-ID: <20200117095026.27655-4-johan@kernel.org> (raw)
In-Reply-To: <20200117095026.27655-1-johan@kernel.org>

The driver receives the active port number from the device, but never
made sure that the port number was valid. This could lead to a
NULL-pointer dereference or memory corruption in case a device sends
data for an invalid port.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/serial/io_edgeport.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index 0582d78bdb1d..5737add6a2a4 100644
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -1725,7 +1725,8 @@ static void edge_break(struct tty_struct *tty, int break_state)
 static void process_rcvd_data(struct edgeport_serial *edge_serial,
 				unsigned char *buffer, __u16 bufferLength)
 {
-	struct device *dev = &edge_serial->serial->dev->dev;
+	struct usb_serial *serial = edge_serial->serial;
+	struct device *dev = &serial->dev->dev;
 	struct usb_serial_port *port;
 	struct edgeport_port *edge_port;
 	__u16 lastBufferLength;
@@ -1821,9 +1822,8 @@ static void process_rcvd_data(struct edgeport_serial *edge_serial,
 
 			/* spit this data back into the tty driver if this
 			   port is open */
-			if (rxLen) {
-				port = edge_serial->serial->port[
-							edge_serial->rxPort];
+			if (rxLen && edge_serial->rxPort < serial->num_ports) {
+				port = serial->port[edge_serial->rxPort];
 				edge_port = usb_get_serial_port_data(port);
 				if (edge_port && edge_port->open) {
 					dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n",
@@ -1833,8 +1833,8 @@ static void process_rcvd_data(struct edgeport_serial *edge_serial,
 							rxLen);
 					edge_port->port->icount.rx += rxLen;
 				}
-				buffer += rxLen;
 			}
+			buffer += rxLen;
 			break;
 
 		case EXPECT_HDR3:	/* Expect 3rd byte of status header */
@@ -1869,6 +1869,8 @@ static void process_rcvd_status(struct edgeport_serial *edge_serial,
 	__u8 code = edge_serial->rxStatusCode;
 
 	/* switch the port pointer to the one being currently talked about */
+	if (edge_serial->rxPort >= edge_serial->serial->num_ports)
+		return;
 	port = edge_serial->serial->port[edge_serial->rxPort];
 	edge_port = usb_get_serial_port_data(port);
 	if (edge_port == NULL) {
-- 
2.24.1

next prev parent reply	other threads:[~2020-01-17  9:51 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-17  9:50 [PATCH 0/5] USB: serial: handle unbound ports Johan Hovold
2020-01-17  9:50 ` [PATCH 1/5] USB: ch341: handle unbound port at reset_resume Johan Hovold
2020-01-17  9:50 ` [PATCH 2/5] USB: serial: io_edgeport: handle unbound ports on URB completion Johan Hovold
2020-01-17  9:50 ` Johan Hovold [this message]
2020-01-17  9:50 ` [PATCH 4/5] USB: serial: keyspan: handle unbound ports Johan Hovold
2020-01-17  9:50 ` [PATCH 5/5] USB: serial: quatech2: " Johan Hovold
2020-01-17 10:36   ` Greg KH
2020-01-17 10:53     ` Johan Hovold
2020-01-17 13:13       ` Greg KH
2020-01-17 14:29         ` Johan Hovold
2020-01-17 13:13 ` [PATCH 0/5] USB: serial: " Greg KH

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0582d78bdb1 dfblob:5737add6a2a )
 OR (
bs:"[PATCH 3/5] USB: serial: io_edgeport: add missing active-port sanity check" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200117095026.27655-4-johan@kernel.org \
    --to=johan@kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.