* [PATCH] USB: serial: belkin_sa: validate interrupt status length
@ 2026-05-16 4:24 Zhang Cen
0 siblings, 0 replies; only message in thread
From: Zhang Cen @ 2026-05-16 4:24 UTC (permalink / raw)
To: Johan Hovold, Greg Kroah-Hartman
Cc: linux-usb, linux-kernel, zerocling0077, 2045gemini, Zhang Cen
The Belkin interrupt callback treats the interrupt packet as a four-byte
status report and reads LSR/MSR fields at offsets 2 and 3. The
interrupt-in buffer length is derived from endpoint wMaxPacketSize,
and short interrupt transfers may complete successfully with a smaller
actual_length.
Do not parse interrupt status unless both the URB buffer and the completed
packet are large enough for the status fields. This prevents devices with
short interrupt endpoints or short successful packets from driving
out-of-bounds or stale status-byte reads.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
---
drivers/usb/serial/belkin_sa.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/serial/belkin_sa.c b/drivers/usb/serial/belkin_sa.c
index 38ac910b1082..a1e4173a2877 100644
--- a/drivers/usb/serial/belkin_sa.c
+++ b/drivers/usb/serial/belkin_sa.c
@@ -192,6 +192,10 @@ static void belkin_sa_read_int_callback(struct urb *urb)
goto exit;
}
+ if (urb->actual_length < BELKIN_SA_MSR_INDEX + 1 ||
+ urb->transfer_buffer_length < BELKIN_SA_MSR_INDEX + 1)
+ goto exit;
+
usb_serial_debug_data(&port->dev, __func__, urb->actual_length, data);
/* Handle known interrupt data */
--
2.43.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-16 4:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-16 4:24 [PATCH] USB: serial: belkin_sa: validate interrupt status length Zhang Cen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox