Skip to content

Commit

Permalink
USB: serial: iuu_phoenix: fix memory corruption
Browse files Browse the repository at this point in the history 
The driver would happily overwrite its write buffer with user data in
256 byte increments due to a removed buffer-space sanity check.

Fixes: 5fcf62b ("tty: iuu_phoenix: fix locking.")
Cc: stable <stable@vger.kernel.org>     # 2.6.31
Signed-off-by: Johan Hovold <johan@kernel.org>
  • Loading branch information
Johan Hovold committed Jul 16, 2020
1 parent da6902e commit e7b931b
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions drivers/usb/serial/iuu_phoenix.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -697,14 +697,16 @@ static int iuu_uart_write(struct tty_struct *tty, struct usb_serial_port *port,
struct iuu_private *priv = usb_get_serial_port_data(port);
unsigned long flags;

if (count > 256)
return -ENOMEM;

spin_lock_irqsave(&priv->lock, flags);

count = min(count, 256 - priv->writelen);
if (count == 0)
goto out;

/* fill the buffer */
memcpy(priv->writebuf + priv->writelen, buf, count);
priv->writelen += count;
out:
spin_unlock_irqrestore(&priv->lock, flags);

return count;
Expand Down

0 comments on commit e7b931b

Please sign in to comment.