From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D95E3750A0; Thu, 12 Mar 2026 20:20:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773346820; cv=none; b=KHer4qRyZ4cpEKqqODEL8s+77r2aNI7szbitpxitBWnKFMZ5AOcp/zvB7tjXbYDOAfKgcMENNG1JwgBSLHl/8VkRK45MFbllEqjOAMh9a4hgkgi/9lYzkkqHoGEoje7J3z707yvzAflHmOj2jVhl7L+m5uFmL2HO8qkpCGYV4tw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773346820; c=relaxed/simple; bh=d4hSJMsnOjJRckLQ9wcq5a7OxBbM5Q72TtZ1zOD7PXg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XeZ/CPpPqm/481PGw3eQXf8JMQ5s8jBsiEEyaMTyP22OZ2NmzH+2zp4967kwzyNp3+SAzYoHtRLC+SQEiK/lzR4E6stS/5aElER+V7sNHt9LYIL/AtPx26Hh/Uc2kzow3ENuWvyz9+Nej/qymI7mC37p0vtspT7Syg+K8mkHhKk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=tgjLAZrH; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="tgjLAZrH" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 13907C4CEF7; Thu, 12 Mar 2026 20:20:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1773346820; bh=d4hSJMsnOjJRckLQ9wcq5a7OxBbM5Q72TtZ1zOD7PXg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tgjLAZrHX7yhCh0oBz1iRXZh63SbOmEijtctc+AA7XfPC2dfDFMRKqwnaB06HE43p 9fYJBILard0hSyvZcqhK5h9SPhA3t5RbyPYdOh5q1PHisSJndfq5qAhghjzd2p6c1d t4IKg0sXIlom35peUDgrsjJUKr5H8kMFfHuMED18= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Vincent Mailhol , Marc Kleine-Budde , stable@kernel.org Subject: [PATCH 6.12 133/265] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message Date: Thu, 12 Mar 2026 21:08:40 +0100 Message-ID: <20260312201023.055884760@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260312201018.128816016@linuxfoundation.org> References: <20260312201018.128816016@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Greg Kroah-Hartman commit 38a01c9700b0dcafe97dfa9dc7531bf4a245deff upstream. When looking at the data in a USB urb, the actual_length is the size of the buffer passed to the driver, not the transfer_buffer_length which is set by the driver as the max size of the buffer. When parsing the messages in ems_usb_read_bulk_callback() properly check the size both at the beginning of parsing the message to make sure it is big enough for the expected structure, and at the end of the message to make sure we don't overflow past the end of the buffer for the next message. Cc: Vincent Mailhol Cc: Marc Kleine-Budde Cc: stable@kernel.org Assisted-by: gkh_clanker_2000 Signed-off-by: Greg Kroah-Hartman Link: https://patch.msgid.link/2026022316-answering-strainer-a5db@gregkh Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman --- drivers/net/can/usb/ems_usb.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/drivers/net/can/usb/ems_usb.c +++ b/drivers/net/can/usb/ems_usb.c @@ -445,6 +445,11 @@ static void ems_usb_read_bulk_callback(s start = CPC_HEADER_SIZE; while (msg_count) { + if (start + CPC_MSG_HEADER_LEN > urb->actual_length) { + netdev_err(netdev, "format error\n"); + break; + } + msg = (struct ems_cpc_msg *)&ibuf[start]; switch (msg->type) { @@ -474,7 +479,7 @@ static void ems_usb_read_bulk_callback(s start += CPC_MSG_HEADER_LEN + msg->length; msg_count--; - if (start > urb->transfer_buffer_length) { + if (start > urb->actual_length) { netdev_err(netdev, "format error\n"); break; }