Re: [PATCH] USB: serial: mct_u232: fix memory corruption with small endpoint

Next message: Krzysztof Kozlowski: "Re: [PATCH 1/2] spi: dt-bindings: cdns,xspi: add sdma-io-width"
Previous message: Marc Dionne: "Re: [PATCH net v4 0/3] rxrpc: Better fix for DATA/RESPONSE decrypt vs splice()"
In reply to: Greg Kroah-Hartman: "Re: [PATCH] USB: serial: mct_u232: fix memory corruption with small endpoint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johan Hovold

Date: Wed May 20 2026 - 10:41:49 EST

On Wed, May 20, 2026 at 01:16:49PM +0200, Greg Kroah-Hartman wrote:
> On Wed, May 20, 2026 at 12:14:52PM +0200, Johan Hovold wrote:
> > The driver overrides the maximum transfer size for a specific device
> > which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
> >
> > Make sure to never increase the maximum transfer size to prevent slab
> > corruption should a malicious device report a smaller endpoint max
> > packet size than expected.
> >
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
> > ---
>
> Reviewed-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

Thanks for reviewing these. Now applied.

Johan