[PATCH] USB: serial: belkin_sa: validate interrupt status length

[Zhang Cen]

The Belkin interrupt callback treats the interrupt packet as a four-byte
status report and reads LSR/MSR fields at offsets 2 and 3. The
interrupt-in buffer length is derived from endpoint wMaxPacketSize,
and short interrupt transfers may complete successfully with a smaller
actual_length.

Do not parse interrupt status unless both the URB buffer and the completed
packet are large enough for the status fields. This prevents devices with
short interrupt endpoints or short successful packets from driving
out-of-bounds or stale status-byte reads.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zhang Cen <rollkingzzc@xxxxxxxxx>

---
 drivers/usb/serial/belkin_sa.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/serial/belkin_sa.c b/drivers/usb/serial/belkin_sa.c
index 38ac910b1082..a1e4173a2877 100644
--- a/drivers/usb/serial/belkin_sa.c
+++ b/drivers/usb/serial/belkin_sa.c
@@ -192,6 +192,10 @@ static void belkin_sa_read_int_callback(struct urb *urb)
 		goto exit;
 	}
 
+	if (urb->actual_length < BELKIN_SA_MSR_INDEX + 1 ||
+	    urb->transfer_buffer_length < BELKIN_SA_MSR_INDEX + 1)
+		goto exit;
+
 	usb_serial_debug_data(&port->dev, __func__, urb->actual_length, data);
 
 	/* Handle known interrupt data */
-- 
2.43.0