Re: [PATCH] USB: serial: kl5kusb105: fix bulk-out buffer overflow

Next message: Javen: "RE: [PATCH net-next v1 4/6] r8169: add support for RTL8116af"
Previous message: haoran . jiang: "[PATCH v2] LoongArch: Enable STRICT_MODULE_RWX for stricter modules memory permissions"
Next in thread: HyeongJun An: "Re: [PATCH] USB: serial: kl5kusb105: fix bulk-out buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johan Hovold

Date: Mon Jun 08 2026 - 02:34:31 EST

On Sun, Jun 07, 2026 at 06:51:14PM +0900, HyeongJun An wrote:
> klsi_105_prepare_write_buffer() is called by the generic write path
> with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
> stores a two-byte length header at the start of the buffer and copies
> the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
> passes the full buffer size as the number of bytes to copy:
>
> count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
> size, &port->lock);
>
> When the fifo holds at least size bytes, size bytes are copied starting
> two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
> end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
> the header as safe_serial already does.

Good catch!

How was this found? Did you use some kind of static checker or LLM?

Johan