From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f195.google.com (mail-pf1-f195.google.com [209.85.210.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 50705322A for ; Sat, 16 May 2026 04:24:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.195 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778905486; cv=none; b=ChppZFinn2ZO7vMgzYi0X2UfAjgPxtoXh78a4JLo1/4+e0oimfbppOdfkzvNBBmcZuuUBF4Cpk7L2OgbTkulJvVWQD4CQ0T2sYnD9ARP04tpN93OODLgKBTXze+ZJRA/PQhjS14WX66XgPYxAOO6/vYx64z9ZCVq0xL92k0gH/E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778905486; c=relaxed/simple; bh=RNtkXuHkvir4GN5FlEl0r/gw9TngXQT5e+1Uek8o16s=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Wv3GXqk2RlqmZ9hskwpYj4D6uAZmweE9nQxX5jhX0YELHbhtlK5ecCpnOIY0Ecmav1WYXoCqx6SX2VdkMbvWsU5pR4qC7MV/xz+cTqrspEdaMB1y5Z8g9gaOWlzZcdrGsQEUqPtGQWZCQFbIy03TPBeKz2pE9ydlWsGdgB+pKCI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fuIl8+4E; arc=none smtp.client-ip=209.85.210.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fuIl8+4E" Received: by mail-pf1-f195.google.com with SMTP id d2e1a72fcca58-834f1075805so423192b3a.2 for ; Fri, 15 May 2026 21:24:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778905484; x=1779510284; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=zGxNuPoTYe3IW6E8h8wR1MIK1stWnjpQlV3rNbpzzR8=; b=fuIl8+4EcTyVdk9bav2n3kSiDYreDiCsIHVLb0ivhbeJKQZ+zY1/9nW4dCSY67gPrj 0RtXbvF5CY1UpK4fBTIvxIPtmVoGLQzfGH0zFoJ660u30ewVgxP2hjy00oGFKWtUgahW qfr7NEdy9QobmlLnZOzviieKbFn06e4bAe0AoP1F8L3iibtrSDlKXwFl+qWSr5senCog XI0AN53Ba4XqU6jHuKYULUk7mqo6gtpeXrSXobhADGGXKfRAOdSCHGLp04iW+8yjZSjH 0iXPuWKCSEGGJHSLD7L1cT1geDhXNY2qQU6qptbgrIGmJNS2IVA6yz9SufRqvSFtmOxY nP1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778905484; x=1779510284; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=zGxNuPoTYe3IW6E8h8wR1MIK1stWnjpQlV3rNbpzzR8=; b=iE8zOVV3dNLlZngwuKY+qMiH0FTTkQNXTRBnsZA4izN91tn+AYCIxzDXjAIfn7NXse 4xG804RvJeGbw9E9mVFyZnQhOAJFrsj6Zadxw5lI7PX+4kflpAWyuhxOUk3yH+bRg/z9 eL917vANQaNiQfC1fBV3eHbHcUyujzsYyGDSDYyLU0KFXhWpaY6JeYxviiYBh8WQMiww 6fnmctsWdArqUIdjy5SULl5h8AOtoj1KR3yMQEAlrOlv0yzD1qzLXk3vixVPBaJZacEv A6L/nnAdczWOywwBKjsD+c4sDgci1xK3HuYlUbDMglEeGPPqA9WUEmlHfecjmZyFl7ml ut9w== X-Forwarded-Encrypted: i=1; AFNElJ+kWU4CxOy5P/x8LeADGBbH+XYspkr6S85eabk0SftBB21G415BgMxXPlCco+XQcXok1J//vrj/vVrqANU=@vger.kernel.org X-Gm-Message-State: AOJu0YzdTHCpjj2d13K7xiqcwiGsoFaDK5KXwHuGTLrYQT52Jay42+ck QPgYKIH03ufdv4uus4sSqzHAS9vWUW5C1QipHxSaXc7VpkkWTGHkogB4 X-Gm-Gg: Acq92OFkXgqVFaf8Shrp5W/CZvxNFtjBDCnmax1eGmNwKuKtjq3t8hQ0kP8AvsgOijX aBZ6s5oC4BXZcvev6xCSx03HEGnHsjrC/wiHcLVLcRJamTkGCRBwx4RNXKg/ZlTu+Yd8UeKgEXo V6ODfFFLXB8g5L/e7k9n8/oVI4kQ94caZxjUZBNwKd7Tl4jKET7ZK7jpbXezmSSN/DZb6HyEo59 p2885RZXPt/UX3gc1NHVlaQ1jB1Bs5V3P1o9hTzhf1RnptYEFVj9jVxfg7E/0x7qhx8Drc3HFyh gbZCBkWxCG1g4Lel5iJ5AvD2MC/ETaOiF/TEvNHOOZzMN8NMdsI4soQfUaF+dIVWeKx58R+QsVJ AXKjDj5ViKj3Ch/yM2fqg5vKhBgCp3zDwdCmw/vztw2J4X9yd9C+hnparux3IdhhpATfCs8+N1O DqHIC2wlij//5l8WPlyp07X4lX9cE772Q= X-Received: by 2002:a05:6a00:299a:b0:82f:6e9:d1ba with SMTP id d2e1a72fcca58-83f33df4581mr7458522b3a.37.1778905484516; Fri, 15 May 2026 21:24:44 -0700 (PDT) Received: from localhost ([111.228.63.84]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-83f19f79b60sm8290059b3a.52.2026.05.15.21.24.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 May 2026 21:24:44 -0700 (PDT) From: Zhang Cen To: Johan Hovold , Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, zerocling0077@gmail.com, 2045gemini@gmail.com, Zhang Cen Subject: [PATCH] USB: serial: belkin_sa: validate interrupt status length Date: Sat, 16 May 2026 12:24:28 +0800 Message-Id: <20260516042428.3777524-1-rollkingzzc@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The Belkin interrupt callback treats the interrupt packet as a four-byte status report and reads LSR/MSR fields at offsets 2 and 3. The interrupt-in buffer length is derived from endpoint wMaxPacketSize, and short interrupt transfers may complete successfully with a smaller actual_length. Do not parse interrupt status unless both the URB buffer and the completed packet are large enough for the status fields. This prevents devices with short interrupt endpoints or short successful packets from driving out-of-bounds or stale status-byte reads. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Zhang Cen --- drivers/usb/serial/belkin_sa.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/serial/belkin_sa.c b/drivers/usb/serial/belkin_sa.c index 38ac910b1082..a1e4173a2877 100644 --- a/drivers/usb/serial/belkin_sa.c +++ b/drivers/usb/serial/belkin_sa.c @@ -192,6 +192,10 @@ static void belkin_sa_read_int_callback(struct urb *urb) goto exit; } + if (urb->actual_length < BELKIN_SA_MSR_INDEX + 1 || + urb->transfer_buffer_length < BELKIN_SA_MSR_INDEX + 1) + goto exit; + usb_serial_debug_data(&port->dev, __func__, urb->actual_length, data); /* Handle known interrupt data */ -- 2.43.0