Re: [PATCH v2] USB: serial: belkin_sa: validate interrupt status length

[Johan Hovold]

On Tue, May 19, 2026 at 07:11:50PM +0800, Zhang Cen wrote:
> The Belkin interrupt callback treats interrupt data as a four-byte
> status report and reads LSR/MSR fields at offsets 2 and 3. The
> interrupt-in buffer length is derived from endpoint wMaxPacketSize, and
> short interrupt transfers may complete successfully with a smaller
> actual_length.
> 
> Check the completed interrupt packet length before parsing status
> fields so short interrupt endpoints and short successful packets are
> ignored instead of causing out-of-bounds or stale status-byte reads.
> 
> KASAN report as below:
> 
> BUG: KASAN: slab-out-of-bounds in belkin_sa_read_int_callback()
> Read of size 1

> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Assisted-by: Codex:gpt-5.5
> Signed-off-by: Zhang Cen <rollkingzzc@xxxxxxxxx>
> ---
> v2:
> - Drop the transfer_buffer_length check; urb->actual_length is bounded
>   by the URB transfer buffer length.
> - Add the KASAN validation report.
> - Add Assisted-by tag.

Applied, thanks.

Johan