| From fd442e5ba30aaa75ea47b32149e7a3110dc20a46 Mon Sep 17 00:00:00 2001 |
| From: Daniel Starke <daniel.starke@siemens.com> |
| Date: Wed, 4 May 2022 10:17:31 +0200 |
| Subject: tty: n_gsm: fix buffer over-read in gsm_dlci_data() |
| |
| From: Daniel Starke <daniel.starke@siemens.com> |
| |
| commit fd442e5ba30aaa75ea47b32149e7a3110dc20a46 upstream. |
| |
| 'len' is decreased after each octet that has its EA bit set to 0, which |
| means that the value is encoded with additional octets. However, the final |
| octet does not decreases 'len' which results in 'len' being one byte too |
| long. A buffer over-read may occur in tty_insert_flip_string() as it tries |
| to read one byte more than the passed content size of 'data'. |
| Decrease 'len' also for the final octet which has the EA bit set to 1 to |
| write the correct number of bytes from the internal receive buffer to the |
| virtual tty. |
| |
| Fixes: 2e124b4a390c ("TTY: switch tty_flip_buffer_push") |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Daniel Starke <daniel.starke@siemens.com> |
| Link: https://lore.kernel.org/r/20220504081733.3494-1-daniel.starke@siemens.com |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/tty/n_gsm.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/drivers/tty/n_gsm.c |
| +++ b/drivers/tty/n_gsm.c |
| @@ -1658,6 +1658,7 @@ static void gsm_dlci_data(struct gsm_dlc |
| if (len == 0) |
| return; |
| } |
| + len--; |
| slen++; |
| tty = tty_port_tty_get(port); |
| if (tty) { |