From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F2E1B235C01; Mon, 23 Mar 2026 14:58:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774277927; cv=none; b=G8OwB4eFmUZsfkZKeXrEwJeYhEysv333GkIr0DV4fUwuuK5mYFSojZLzGqI5G8e7dcHhOMsThWMVKy8VxKw6hfesYlUtGr1f74QA2d2bT7jVHqELNz1KsWUQR72R8s1v0MNSndTL9yQagqaL5WdIfPEwGyC0tYwhO3PoypGXEng= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774277927; c=relaxed/simple; bh=wXI3p4TOTLzrhKRpDPjDIjl88MF7n7cectm9N2afQgg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jhL9lchlOqxaOrzqhF7tHY8Jm0oM6P+JfBW21excPu4M1TPcHjcC26ytml69mB+PrlE8Gnn6K3OI7vxBtkidCX/G4B9cXivwTm4t+gaJhb5sisG/C/AhCmycvOzQXav94DQP5DA9zrGBsK9HfJDOTua19F1IyEhs8Cx46FZr9wY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=H3+c60BK; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="H3+c60BK" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7B154C4CEF7; Mon, 23 Mar 2026 14:58:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1774277926; bh=wXI3p4TOTLzrhKRpDPjDIjl88MF7n7cectm9N2afQgg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=H3+c60BKfsjniBMgoxLpet08jueC4nPLvVmXDqwrBoKecn4Ail8kO0q3L5Cr5xdGF eVIkRZPfqHl6tnZgVlDgBGM8iTudv5qazJKFlbLAszJ0jk+2kMIqXGsLQobgXsNXxJ TnHofnNBbwd3Fe6gWRUo6/ZNwyVeOV/BZGb/sNDg= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Vincent Mailhol , Marc Kleine-Budde , stable@kernel.org Subject: [PATCH 6.6 093/567] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message Date: Mon, 23 Mar 2026 14:40:13 +0100 Message-ID: <20260323134536.129221314@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260323134533.749096647@linuxfoundation.org> References: <20260323134533.749096647@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Greg Kroah-Hartman commit 38a01c9700b0dcafe97dfa9dc7531bf4a245deff upstream. When looking at the data in a USB urb, the actual_length is the size of the buffer passed to the driver, not the transfer_buffer_length which is set by the driver as the max size of the buffer. When parsing the messages in ems_usb_read_bulk_callback() properly check the size both at the beginning of parsing the message to make sure it is big enough for the expected structure, and at the end of the message to make sure we don't overflow past the end of the buffer for the next message. Cc: Vincent Mailhol Cc: Marc Kleine-Budde Cc: stable@kernel.org Assisted-by: gkh_clanker_2000 Signed-off-by: Greg Kroah-Hartman Link: https://patch.msgid.link/2026022316-answering-strainer-a5db@gregkh Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman --- drivers/net/can/usb/ems_usb.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/drivers/net/can/usb/ems_usb.c +++ b/drivers/net/can/usb/ems_usb.c @@ -445,6 +445,11 @@ static void ems_usb_read_bulk_callback(s start = CPC_HEADER_SIZE; while (msg_count) { + if (start + CPC_MSG_HEADER_LEN > urb->actual_length) { + netdev_err(netdev, "format error\n"); + break; + } + msg = (struct ems_cpc_msg *)&ibuf[start]; switch (msg->type) { @@ -474,7 +479,7 @@ static void ems_usb_read_bulk_callback(s start += CPC_MSG_HEADER_LEN + msg->length; msg_count--; - if (start > urb->transfer_buffer_length) { + if (start > urb->actual_length) { netdev_err(netdev, "format error\n"); break; }