Re: [PATCH] Input: ims-pcu - bound frame parser write index against read_buf size

Next message: Minda Chen: "Re: [net-next v2 0/3] Add motorcomm 8531s set ds func and 8522 driver"
Previous message: Mark Pearson: "Re: [PATCH] platform/x86: ideapad-laptop: remap &quot;Star with S&quot; key to KEY_DASHBOARD"
In reply to: Greg Kroah-Hartman: "[PATCH] Input: ims-pcu - bound frame parser write index against read_buf size"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH] Input: ims-pcu - bound frame parser write index against read_buf size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Torokhov

Date: Wed Apr 22 2026 - 21:36:38 EST

Hi Greg,

On Mon, Apr 20, 2026 at 09:05:31PM +0200, Greg Kroah-Hartman wrote:
> ims_pcu_process_data() implements a STX/DLE/ETX byte-stuffing parser
> that accumulates frame payload into pcu->read_buf[] using the running
> index pcu->read_pos. read_buf is IMS_PCU_BUF_SIZE (128) bytes and
> read_pos is u8 but of course, we don't check the index before actually
> writing the data :(
>
> Fix this up by properly rejecting the frame at the first attempt to
> write past read_buf and resync on the next STX, mirroring how the parser
> handles short and bad-checksum frames on ETX.
>
> Cc: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
> Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
> Cc: stable <stable@xxxxxxxxxx>
> Assisted-by: gkh_clanker_t1000
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

I already have a patch for this, thanks.

--
Dmitry