USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback
commit5.4-rM2-2.2.x-imx-squashed57aa9f294b
upstream. Fix slab-out-of-bounds read in the interrupt-URB completion handler. The boundary condition should be (length - 1) as we access data[position + 1]. Reported-and-tested-by: syzbot+37ba33391ad5f3935bbd@syzkaller.appspotmail.com Signed-off-by: Qiujun Huang <hqjagain@gmail.com> Fixes:1da177e4c3
("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
parent
004b43fdfc
commit
f32219427c
|
@ -710,7 +710,7 @@ static void edge_interrupt_callback(struct urb *urb)
|
||||||
/* grab the txcredits for the ports if available */
|
/* grab the txcredits for the ports if available */
|
||||||
position = 2;
|
position = 2;
|
||||||
portNumber = 0;
|
portNumber = 0;
|
||||||
while ((position < length) &&
|
while ((position < length - 1) &&
|
||||||
(portNumber < edge_serial->serial->num_ports)) {
|
(portNumber < edge_serial->serial->num_ports)) {
|
||||||
txCredits = data[position] | (data[position+1] << 8);
|
txCredits = data[position] | (data[position+1] << 8);
|
||||||
if (txCredits) {
|
if (txCredits) {
|
||||||
|
|
Loading…
Reference in New Issue