Re: [PATCH] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message

Next message: Heiko Stuebner: "Re: [PATCH] arm64: dts: rockchip: Add battery and charger on rk3566-pinenote"
Previous message: Konrad Dybcio: "Re: [PATCH] crypto: qce - Remove return variable and unused assignments"
In reply to: Marc Kleine-Budde: "Re: [PATCH] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message"
Next in thread: Marc Kleine-Budde: "Re: [PATCH] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Mon Mar 02 2026 - 07:57:50 EST

On Mon, Mar 02, 2026 at 11:06:34AM +0100, Marc Kleine-Budde wrote:
> On 23.02.2026 17:51:17, Greg Kroah-Hartman wrote:
> > When looking at the data in a USB urb, the actual_length is the size of
> > the buffer passed to the driver, not the transfer_buffer_length which is
> > set by the driver as the max size of the buffer.
> >
> > When parsing the messages in ems_usb_read_bulk_callback() properly check
> > the size both at the beginning of parsing the message to make sure it is
> > big enough for the expected structure, and at the end of the message to
> > make sure we don't overflow past the end of the buffer for the next
> > message.
> >
> > Cc: Vincent Mailhol <mailhol@xxxxxxxxxx>
> > Cc: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
> > Cc: stable <stable@xxxxxxxxxx>
> > Assisted-by: gkh_clanker_2000
> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
>
> Applied to linux-can, with preferred stable format.

What is your "preferred stable format"?