From: Michal Pecio <michal.pecio@gmail.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Heitor Alves de Siqueira <halves@igalia.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Dave Penkler <dpenkler@gmail.com>,
Johan Hovold <johan@kernel.org>,
kernel-dev@igalia.com, linux-usb@vger.kernel.org,
linux-kernel@vger.kernel.org,
syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com,
stable@kernel.org
Subject: Re: [PATCH v3 1/2] usb: usbtmc: check URB actual_length for interrupt-IN notifications
Date: Tue, 5 May 2026 22:04:52 +0200 [thread overview]
Message-ID: <20260505220452.214dec73.michal.pecio@gmail.com> (raw)
In-Reply-To: <fbbcf9c7-b1f6-45d9-bb69-6c9878d3f658@rowland.harvard.edu>
On Tue, 5 May 2026 15:17:59 -0400, Alan Stern wrote:
> > Fix by checking if actual_data contains enough bytes for the headers,
> > otherwise resubmit URB to the interrupt endpoint.
>
> Would it be simpler to solve this by setting the two header bytes to 0
> before submitting the URB? Then if the device did not send enough data,
> the header values would be 0, which should prevent any reads from being
> out-of-bounds or getting stale data.
This amounts to saying that:
1. for 0 byte packets, the default notification type is zero
2. for 1 byte packets, the parameter byte defaults to zero
which would result in:
1. a warning (similar to this patch)
2. who knows what, why even worry about such things? ;)
If anything, I think the new warning isn't truly necessary and it
is misleading, if vendor specific notifications with zero-length
bNotify2 field are legal. It would suffice to check actual_length
before accepting the particular 2-byte long notification types,
and leave shorter packets unhandled, causing the default warning.
Another missing bit of pedantry is that these types should only be
interpreted this way on bInterfaceProtocol == 1 devices. But as
long as there are no other protocols defined (are there?), no valid
device is allowed to use them for anything else.
Regards,
Michal
next prev parent reply other threads:[~2026-05-05 20:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 18:56 [PATCH v3 0/2] usb: usbtmc: add sanity checks for interrupt endpoints Heitor Alves de Siqueira
2026-05-05 18:56 ` [PATCH v3 1/2] usb: usbtmc: check URB actual_length for interrupt-IN notifications Heitor Alves de Siqueira
2026-05-05 19:17 ` Alan Stern
2026-05-05 20:04 ` Michal Pecio [this message]
2026-05-05 18:56 ` [PATCH v3 2/2] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Heitor Alves de Siqueira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260505220452.214dec73.michal.pecio@gmail.com \
--to=michal.pecio@gmail.com \
--cc=dpenkler@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=halves@igalia.com \
--cc=johan@kernel.org \
--cc=kernel-dev@igalia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox