Re: [PATCH] USB: serial: keyspan: fix missing indat transfer sanity check

Next message: Jun Yan: "[PATCH v7 0/6] leds: Add powerdown gpio for is31fl32xx"
Previous message: Jeffrey E Altman: "Re: [PATCH net v4 0/3] rxrpc: Better fix for DATA/RESPONSE decrypt vs splice()"
In reply to: Greg Kroah-Hartman: "Re: [PATCH] USB: serial: keyspan: fix missing indat transfer sanity check"
Next in thread: kernel test robot: "Re: [PATCH] USB: serial: keyspan: fix missing indat transfer sanity check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johan Hovold

Date: Wed May 20 2026 - 10:16:14 EST

On Wed, May 20, 2026 at 12:12:30PM +0200, Johan Hovold wrote:
> Add the missing sanity check on the size of usa49wg indat transfers to
> avoid parsing stale or uninitialised slab data.
>
> Fixes: 0ca1268e109a ("USB Serial Keyspan: add support for USA-49WG & USA-28XG")
> Cc: stable@xxxxxxxxxxxxxxx # 2.6.23
> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
> ---
> drivers/usb/serial/keyspan.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
> index 46448843541a..a267bc51afc1 100644
> --- a/drivers/usb/serial/keyspan.c
> +++ b/drivers/usb/serial/keyspan.c
> @@ -1187,6 +1187,10 @@ static void usa49wg_indat_callback(struct urb *urb)
> len = 0;
>
> while (i < urb->actual_length) {
> + if (urb->actual_length - i < 3) {
> + dev_warn_ratelimited(&serial->dev, "malformed indat packet\n");

This dev_printk was a last minute addition before submitting which I
apparently failed to compile test. This should have been
&serial->interface->dev (or &urb->dev->dev).

Will fix up when applying.

> + break;
> + }
>
> /* Check port number from message */
> if (data[i] >= serial->num_ports) {

Johan