Re: [PATCH v3 1/2] usb: usbtmc: check URB actual_length for interrupt-IN notifications

Next message: Meagan Lloyd: "Re: [PATCH] rtc: ds1307: handle oscillator stop flag for ds1337/ds1339/ds3231"
Previous message: Frank Li: "Re: [PATCH v2 0/3] arm64: dts: freescale: imx95-toradex-smarc: Add Bluetooth and SER2"
In reply to: Heitor Alves de Siqueira: "[PATCH v3 1/2] usb: usbtmc: check URB actual_length for interrupt-IN notifications"
Next in thread: Michal Pecio: "Re: [PATCH v3 1/2] usb: usbtmc: check URB actual_length for interrupt-IN notifications"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alan Stern

Date: Tue May 05 2026 - 15:18:16 EST

On Tue, May 05, 2026 at 03:56:03PM -0300, Heitor Alves de Siqueira wrote:
> USBTMC devices can use an optional interrupt endpoint for notification
> messages. These typically contain two-byte headers indicating the
> payload format, but the driver does not check if these headers are
> present before accessing the data buffers. In cases where the URB
> actual_length is not enough to fit these headers, the driver will either
> cause an out-of-bounds read, or consume stale leftover data from a
> previous notification.
>
> Fix by checking if actual_data contains enough bytes for the headers,
> otherwise resubmit URB to the interrupt endpoint.

Would it be simpler to solve this by setting the two header bytes to 0
before submitting the URB? Then if the device did not send enough data,
the header values would be 0, which should prevent any reads from being
out-of-bounds or getting stale data.

Alan Stern