github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-04 20:46:48 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

USB: serial: cypress_m8: fix memory corruption with small endpoint

Browse Source 
Make sure that the interrupt-out endpoint max packet size is at least
eight bytes to avoid user-controlled slab corruption or NULL-pointer
dereference should a malicious device report a smaller size.

Fixes: 3416eaa1f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@vger.kernel.org	# 2.6.26
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
This commit is contained in:
Johan Hovold 2026-05-22 12:16:21 +02:00
parent 689f2facc6
commit e1a9d791fd
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/usb/serial/cypress_m8.c
View File

@ -445,6 +445,14 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
return -ENODEV;
}
/*
* The buffer must be large enough for the one or two-byte header (and
* following data), but assume anything smaller than eight bytes is
* broken.
*/
if (port->interrupt_out_size < 8)
return -EINVAL;
priv = kzalloc_obj(struct cypress_private);
if (!priv)
return -ENOMEM;