Hi!
commit e7b931bee739e8a77ae216e613d3b99342b6dec0 upstream.
The driver would happily overwrite its write buffer with user data in 256 byte increments due to a removed buffer-space sanity check.
+++ b/drivers/usb/serial/iuu_phoenix.c @@ -697,14 +697,16 @@ static int iuu_uart_write(struct tty_str struct iuu_private *priv = usb_get_serial_port_data(port); unsigned long flags;
- if (count > 256)
return -ENOMEM;
- spin_lock_irqsave(&priv->lock, flags);
- count = min(count, 256 - priv->writelen);
- if (count == 0)
goto out;
- /* fill the buffer */ memcpy(priv->writebuf + priv->writelen, buf, count); priv->writelen += count;
+out: spin_unlock_irqrestore(&priv->lock, flags); return count;
Ok, so... goto and label is unneccessary, memcpy will do the right thing with count == 0.
That's generally too subtle. Better to clearly mark the error/exception path.
We usually avoid subtle code by introducing comments, not by introducing extra (and confusing) code that can not be optimized out.
Best regards, Pavel