Re: [PATCH] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message

Next message: Niklas Cassel: "Re: [PATCH v10 7/7] PCI: endpoint: pci-ep-msi: Add embedded doorbell fallback"
Previous message: Marc Kleine-Budde: "Re: [PATCH] can: ucan: Fix infinite loop from zero-length messages"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Marc Kleine-Budde

Date: Mon Mar 02 2026 - 05:12:32 EST

On 23.02.2026 17:51:17, Greg Kroah-Hartman wrote:
> When looking at the data in a USB urb, the actual_length is the size of
> the buffer passed to the driver, not the transfer_buffer_length which is
> set by the driver as the max size of the buffer.
>
> When parsing the messages in ems_usb_read_bulk_callback() properly check
> the size both at the beginning of parsing the message to make sure it is
> big enough for the expected structure, and at the end of the message to
> make sure we don't overflow past the end of the buffer for the next
> message.
>
> Cc: Vincent Mailhol <mailhol@xxxxxxxxxx>
> Cc: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxx>
> Assisted-by: gkh_clanker_2000
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

Applied to linux-can, with preferred stable format.

regards,
Marc

--
Pengutronix e.K. | Marc Kleine-Budde |
Embedded Linux | https://www.pengutronix.de |
Vertretung Nürnberg | Phone: +49-5121-206917-129 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-9 |

Attachment: signature.asc
Description: PGP signature