From patchwork Mon May 16 19:36:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 573768 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F8FEC4321E for ; Mon, 16 May 2022 20:04:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237163AbiEPUE1 (ORCPT ); Mon, 16 May 2022 16:04:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46686 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348712AbiEPT6s (ORCPT ); Mon, 16 May 2022 15:58:48 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 013DA49CA8; Mon, 16 May 2022 12:50:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 92871B80EB1; Mon, 16 May 2022 19:50:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E7F29C385AA; Mon, 16 May 2022 19:50:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1652730654; bh=pNc5Wp/V/wvkMo7B3lGpgbwftUmcsomevOUVIPerwiE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PJ8JfyZgRCFyypJICso21hcGqMHT+qlYEfpqOYQnw23DYJjqe4nuDNZ3dFZGUMydk ed27ucM7vOK/v3+TRZc92sMjPUY3geEiEsxOGzTflMDSoh72U3vis36Mm4veal5foR +FM5ucK/YLgPQOime5Y6UAtVFA7xI9+6pO7H1bB0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Starke Subject: [PATCH 5.15 068/102] tty: n_gsm: fix buffer over-read in gsm_dlci_data() Date: Mon, 16 May 2022 21:36:42 +0200 Message-Id: <20220516193625.949023655@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220516193623.989270214@linuxfoundation.org> References: <20220516193623.989270214@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Daniel Starke commit fd442e5ba30aaa75ea47b32149e7a3110dc20a46 upstream. 'len' is decreased after each octet that has its EA bit set to 0, which means that the value is encoded with additional octets. However, the final octet does not decreases 'len' which results in 'len' being one byte too long. A buffer over-read may occur in tty_insert_flip_string() as it tries to read one byte more than the passed content size of 'data'. Decrease 'len' also for the final octet which has the EA bit set to 1 to write the correct number of bytes from the internal receive buffer to the virtual tty. Fixes: 2e124b4a390c ("TTY: switch tty_flip_buffer_push") Cc: stable@vger.kernel.org Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220504081733.3494-1-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman --- drivers/tty/n_gsm.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -1587,6 +1587,7 @@ static void gsm_dlci_data(struct gsm_dlc if (len == 0) return; } + len--; slen++; tty = tty_port_tty_get(port); if (tty) {