From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A3573D3488;
	Wed, 20 May 2026 10:15:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779272102; cv=none; b=faiYCGd/XBnQrMeA0krc51tEPLJhPNfu8vCSTp12bQ9U4bMSlezAzOguQsoTkyjXt1eWo5hFErDz+CpwKZxNjEtL09j9KkKLFPAY0WoOV02xyVBNg3mWbEVkINrJPkFCYI/mcyZs8TQ1iM4J7dogPFxEbY9iivuppRcb/+1HB3w=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779272102; c=relaxed/simple;
	bh=8wFPq94yFSybvgXDcni+KLTML8MIhHDChwtg6j+50AM=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=H8eZgggtyXmkpRJ+B4frx/Kl4ptpOMARe929a4bQLNrNXaGLiA/DTkduf6qourJHBlBODa4puMeub8OULIYPXFT2deiFkXG4VONBZLsd7eUMZOJyB2m3HqWAlHZC/yHpRAll18FKzagBPKYz1SxA31Zt2zKkccmCiO4JtMkZGik=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=AogE4ric; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="AogE4ric"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E0A541F000E9;
	Wed, 20 May 2026 10:15:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1779272100;
	bh=bn0l51DDioA8sZuJfYzycRmVprKeKfbJ4kO44tV877o=;
	h=From:To:Cc:Subject:Date;
	b=AogE4ricj/CApjPIj0bjsa4bS2dYCFqsBP4Qq8Z6dqur0H7KHCADBihKZ9gdTwtuu
	 E49uM1BYv1CTT05PfGYItvbF7iYrgj6rS1p8XRj3q9EcgQtalk/F5Pr96OXWtBlje+
	 EmC2eS12i7gf5iqubdvwEIBrw0kBmCN0TCjITj9zzxEdBF9YqJiDmbXdx89dhesPuw
	 OcETxRFV1Kw98KKBQTHsW6Vs8uMU0uYX0x0crVX3eXB/dD2KDojLW3ui68W+2QvkLK
	 4A8vMllOE2p2TjZhOKFK6jujSNQxwEWRI7FRDu0lk+8Zb60x9ka3MycnUjGpDge/cF
	 37nDzHOhgcG1Q==
Received: from johan by xi.lan with local (Exim 4.98.2)
	(envelope-from <johan@kernel.org>)
	id 1wPdx4-00000002l5S-30P0;
	Wed, 20 May 2026 12:14:58 +0200
From: Johan Hovold <johan@kernel.org>
To: Johan Hovold <johan@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH] USB: serial: mct_u232: fix memory corruption with small endpoint
Date: Wed, 20 May 2026 12:14:52 +0200
Message-ID: <20260520101452.657643-1-johan@kernel.org>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: stable@vger.kernel.org
List-Id: <stable.vger.kernel.org>
List-Subscribe: <mailto:stable+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:stable+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

The driver overrides the maximum transfer size for a specific device
which only accepts 16 byte packets for its 32 byte bulk-out endpoint.

Make sure to never increase the maximum transfer size to prevent slab
corruption should a malicious device report a smaller endpoint max
packet size than expected.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index 18844b92bd08..ca1530da6e77 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
 {
 	struct usb_serial *serial = port->serial;
 	struct mct_u232_private *priv;
+	u16 pid;
 
 	/* check first to simplify error handling */
 	if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
 		return -ENODEV;
 	}
 
+	/*
+	 * Compensate for a hardware bug: although the Sitecom U232-P25
+	 * device reports a maximum output packet size of 32 bytes,
+	 * it seems to be able to accept only 16 bytes (and that's what
+	 * SniffUSB says too...)
+	 */
+	pid = le16_to_cpu(serial->dev->descriptor.idProduct);
+	if (pid == MCT_U232_SITECOM_PID)
+		port->bulk_out_size = min(16, port->bulk_out_size);
+
 	priv = kzalloc_obj(*priv);
 	if (!priv)
 		return -ENOMEM;
@@ -410,7 +421,6 @@ static void mct_u232_port_remove(struct usb_serial_port *port)
 
 static int  mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
 {
-	struct usb_serial *serial = port->serial;
 	struct mct_u232_private *priv = usb_get_serial_port_data(port);
 	int retval = 0;
 	unsigned int control_state;
@@ -418,15 +428,6 @@ static int  mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
 	unsigned char last_lcr;
 	unsigned char last_msr;
 
-	/* Compensate for a hardware bug: although the Sitecom U232-P25
-	 * device reports a maximum output packet size of 32 bytes,
-	 * it seems to be able to accept only 16 bytes (and that's what
-	 * SniffUSB says too...)
-	 */
-	if (le16_to_cpu(serial->dev->descriptor.idProduct)
-						== MCT_U232_SITECOM_PID)
-		port->bulk_out_size = 16;
-
 	/* Do a defined restart: the normal serial device seems to
 	 * always turn on DTR and RTS here, so do the same. I'm not
 	 * sure if this is really necessary. But it should not harm
-- 
2.53.0