USB: serial: iuu_phoenix: fix memory corruption

commit e7b931bee739e8a77ae216e613d3b99342b6dec0 upstream. The driver would happily overwrite its write buffer with user data in 256 byte increments due to a removed buffer-space sanity check. Fixes: 5fcf62b0f1f2 ("tty: iuu_phoenix: fix locking.") Cc: stable <stable@vger.kernel.org> # 2.6.31 Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Johan Hovold <johan@kernel.org> 2020-07-15 12:02:45 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-07-22 10:22:26 +0300
commit: 386f58cb409458bfe8a9c855012a16573b152be5 (patch)
tree: 0c079d89513d510f5655175a5d942c0bead8eed1
parent: c0689058968d4cf756d1fe887c62dc57edcefbc0 (diff)
download: linux-386f58cb409458bfe8a9c855012a16573b152be5.tar.xz
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c
index 18fc992a245f..a1a11f8bb2a3 100644
--- a/drivers/usb/serial/iuu_phoenix.c
+++ b/drivers/usb/serial/iuu_phoenix.c
@@ -704,14 +704,16 @@ static int iuu_uart_write(struct tty_struct *tty, struct usb_serial_port *port,
 	struct iuu_private *priv = usb_get_serial_port_data(port);
 	unsigned long flags;
 
-	if (count > 256)
-		return -ENOMEM;
-
 	spin_lock_irqsave(&priv->lock, flags);
 
+	count = min(count, 256 - priv->writelen);
+	if (count == 0)
+		goto out;
+
 	/* fill the buffer */
 	memcpy(priv->writebuf + priv->writelen, buf, count);
 	priv->writelen += count;
+out:
 	spin_unlock_irqrestore(&priv->lock, flags);
 
 	return count;
author	Johan Hovold <johan@kernel.org>	2020-07-15 12:02:45 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-07-22 10:22:26 +0300
commit	386f58cb409458bfe8a9c855012a16573b152be5 (patch)
tree	0c079d89513d510f5655175a5d942c0bead8eed1
parent	c0689058968d4cf756d1fe887c62dc57edcefbc0 (diff)
download	linux-386f58cb409458bfe8a9c855012a16573b152be5.tar.xz