[PATCH] USB: serial: mct_u232: fix memory corruption with small endpoint

Linux kernel -stable discussions
 help / color / mirror / Atom feed

* [PATCH] USB: serial: mct_u232: fix memory corruption with small endpoint
@ 2026-05-20 10:14 Johan Hovold
  2026-05-20 11:16 ` Greg Kroah-Hartman
  0 siblings, 1 reply; 3+ messages in thread
From: Johan Hovold @ 2026-05-20 10:14 UTC (permalink / raw)
  To: Johan Hovold; +Cc: Greg Kroah-Hartman, linux-usb, linux-kernel, stable

The driver overrides the maximum transfer size for a specific device
which only accepts 16 byte packets for its 32 byte bulk-out endpoint.

Make sure to never increase the maximum transfer size to prevent slab
corruption should a malicious device report a smaller endpoint max
packet size than expected.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index 18844b92bd08..ca1530da6e77 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
 {
 	struct usb_serial *serial = port->serial;
 	struct mct_u232_private *priv;
+	u16 pid;
 
 	/* check first to simplify error handling */
 	if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
 		return -ENODEV;
 	}
 
+	/*
+	 * Compensate for a hardware bug: although the Sitecom U232-P25
+	 * device reports a maximum output packet size of 32 bytes,
+	 * it seems to be able to accept only 16 bytes (and that's what
+	 * SniffUSB says too...)
+	 */
+	pid = le16_to_cpu(serial->dev->descriptor.idProduct);
+	if (pid == MCT_U232_SITECOM_PID)
+		port->bulk_out_size = min(16, port->bulk_out_size);
+
 	priv = kzalloc_obj(*priv);
 	if (!priv)
 		return -ENOMEM;
@@ -410,7 +421,6 @@ static void mct_u232_port_remove(struct usb_serial_port *port)
 
 static int  mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
 {
-	struct usb_serial *serial = port->serial;
 	struct mct_u232_private *priv = usb_get_serial_port_data(port);
 	int retval = 0;
 	unsigned int control_state;
@@ -418,15 +428,6 @@ static int  mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
 	unsigned char last_lcr;
 	unsigned char last_msr;
 
-	/* Compensate for a hardware bug: although the Sitecom U232-P25
-	 * device reports a maximum output packet size of 32 bytes,
-	 * it seems to be able to accept only 16 bytes (and that's what
-	 * SniffUSB says too...)
-	 */
-	if (le16_to_cpu(serial->dev->descriptor.idProduct)
-						== MCT_U232_SITECOM_PID)
-		port->bulk_out_size = 16;
-
 	/* Do a defined restart: the normal serial device seems to
 	 * always turn on DTR and RTS here, so do the same. I'm not
 	 * sure if this is really necessary. But it should not harm
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] USB: serial: mct_u232: fix memory corruption with small endpoint
  2026-05-20 10:14 [PATCH] USB: serial: mct_u232: fix memory corruption with small endpoint Johan Hovold
@ 2026-05-20 11:16 ` Greg Kroah-Hartman
  2026-05-20 14:39   ` Johan Hovold
  0 siblings, 1 reply; 3+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 11:16 UTC (permalink / raw)
  To: Johan Hovold; +Cc: linux-usb, linux-kernel, stable

On Wed, May 20, 2026 at 12:14:52PM +0200, Johan Hovold wrote:
> The driver overrides the maximum transfer size for a specific device
> which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
> 
> Make sure to never increase the maximum transfer size to prevent slab
> corruption should a malicious device report a smaller endpoint max
> packet size than expected.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] USB: serial: mct_u232: fix memory corruption with small endpoint
  2026-05-20 11:16 ` Greg Kroah-Hartman
@ 2026-05-20 14:39   ` Johan Hovold
  0 siblings, 0 replies; 3+ messages in thread
From: Johan Hovold @ 2026-05-20 14:39 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-usb, linux-kernel, stable

On Wed, May 20, 2026 at 01:16:49PM +0200, Greg Kroah-Hartman wrote:
> On Wed, May 20, 2026 at 12:14:52PM +0200, Johan Hovold wrote:
> > The driver overrides the maximum transfer size for a specific device
> > which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
> > 
> > Make sure to never increase the maximum transfer size to prevent slab
> > corruption should a malicious device report a smaller endpoint max
> > packet size than expected.
> > 
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Johan Hovold <johan@kernel.org>
> > ---
> 
> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thanks for reviewing these. Now applied.

Johan

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-20 14:39 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20 10:14 [PATCH] USB: serial: mct_u232: fix memory corruption with small endpoint Johan Hovold
2026-05-20 11:16 ` Greg Kroah-Hartman
2026-05-20 14:39   ` Johan Hovold

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox