Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp1526567iof; Tue, 7 Jun 2022 07:13:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzXMBW+PZ53ZO9+8rJ4DUujMeB/b3ClG6U4KnOhjRA9vJatEEUQVLum4qgzWqgWFee3fQyG X-Received: by 2002:a05:6402:2753:b0:431:9c8b:5635 with SMTP id z19-20020a056402275300b004319c8b5635mr629865edd.152.1654611213155; Tue, 07 Jun 2022 07:13:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654611213; cv=none; d=google.com; s=arc-20160816; b=QGN3jF8QItgLy/2yRCurc1UUr8NgVoIk8JjtHJ07XhtAhMZSOUUaB5CwmhzlUL6iZV EDD4onF7j3SxQpVa8nXdicSvMyCdHVLqaDp1ddRVDoFUkLVpJg7h3EbaGhL3oJ3bxdHF H52Vw0tI2+0rtEwHSZ48MA6FLVPzoJ6Q/H7J25YNMOF6DnJYo4T1wmgAUurJq88RuzQ+ CZWmobUBXJzEkLCnOvo72tZPHYUmCw43mG7/XKU7nNiVjlwgZZ2fAjEd0pd8EVUUzuJK bXjKpwKmZ8p5GFFZp4egvQ/AvLfRFuT7vt/aGmY2yJCN3s/0nUFTzaKJGRkmkiT/D/fw OmgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:to:from; bh=by3ywzAvx1E0PJdy5qQgt5k/WRywxK9R4L8T6+BlxSg=; b=gjezw8CeyJuHS6nydERvowqYuQQbAhqAke3bmXbtlijIwxpXMvo1SNy6m3+kt7aw/v +zP+lmdYPelK/4EV3T2yPyWt9wtS4Rr4D6705emfGsCJg73TnboO8Hwcbr/VndBLmaxY q5y/rkwb9OQMuIxzroB/FUxN5jAtd1koR3Wo/ViRcK35GdnJ94tOpdn3XkoL4ql3Kw6J 3V+/wvy3V2SzNfsw4Zw6o3NTRBnadBvjvplLzrmpijd6H9gva4bmGFcywwCXV8kQ2V+M 4KXoGNW29chjSEqZUVST/9Viqf8ozt7k1rpLicp4njNl48hc2V5QPYfrXD9cdFxiA5ew bQ1g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ruc.edu.cn Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cr19-20020a170906d55300b006e8bd883224si22713887ejc.792.2022.06.07.07.13.04; Tue, 07 Jun 2022 07:13:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ruc.edu.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242793AbiFGLUp (ORCPT + 99 others); Tue, 7 Jun 2022 07:20:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58570 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238470AbiFGLTy (ORCPT ); Tue, 7 Jun 2022 07:19:54 -0400 Received: from smtp.ruc.edu.cn (m177126.mail.qiye.163.com [123.58.177.126]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74B1B54691 for ; Tue, 7 Jun 2022 04:18:11 -0700 (PDT) Received: from localhost.localdomain (unknown [202.112.113.212]) by smtp.ruc.edu.cn (Hmail) with ESMTPSA id D85168009E; Tue, 7 Jun 2022 19:18:08 +0800 (CST) From: Xiaohui Zhang To: Xiaohui Zhang , Ian Abbott , H Hartley Sweeten , Greg Kroah-Hartman , Johan Hovold , linux-kernel@vger.kernel.org Subject: [PATCH 1/1] comedi: ni_usb6501: fix transfer-buffer overflows Date: Tue, 7 Jun 2022 19:18:02 +0800 Message-Id: <20220607111802.13311-1-xiaohuizhang@ruc.edu.cn> X-Mailer: git-send-email 2.17.1 X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgPGg8OCBgUHx5ZQUlOS1dZCBgUCR5ZQVlLVUtZV1 kWDxoPAgseWUFZKDYvK1lXWShZQUhPN1dZLVlBSVdZDwkaFQgSH1lBWRpISE9WGEJDGE5MTEJDGk 1CVRMBExYaEhckFA4PWVdZFhoPEhUdFFlBWU9LSFVKSktISkNVS1kG X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6OjY6PBw4LD03TBcQAU8hVgw# KQlPCitVSlVKTU5PTUtLTUNCTk5KVTMWGhIXVQMSGhQTDhIBExoVHDsJDhhVHh8OVRgVRVlXWRIL WUFZSUtJVUpKSVVKSkhVSUpJWVdZCAFZQUlPSk83Bg++ X-HM-Tid: 0a813de2e5c32c20kusnd85168009e X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Similar to the handling of vmk80xx_alloc_usb_buffers in commit a23461c47482("comedi: vmk80xx: fix transfer-buffer overflows"), we thought a patch might be needed here as well. The driver uses endpoint-sized USB transfer buffers but up until recently had no sanity checks on the sizes. Signed-off-by: Xiaohui Zhang --- drivers/comedi/drivers/ni_usb6501.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/comedi/drivers/ni_usb6501.c b/drivers/comedi/drivers/ni_usb6501.c index 0dd9edf7bced..8303bfc305c5 100644 --- a/drivers/comedi/drivers/ni_usb6501.c +++ b/drivers/comedi/drivers/ni_usb6501.c @@ -90,6 +90,7 @@ #include #define NI6501_TIMEOUT 1000 +#define MIN_BUF_SIZE 64 /* Port request packets */ static const u8 READ_PORT_REQUEST[] = {0x00, 0x01, 0x00, 0x10, @@ -459,12 +460,12 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev) struct ni6501_private *devpriv = dev->private; size_t size; - size = usb_endpoint_maxp(devpriv->ep_rx); + size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE); devpriv->usb_rx_buf = kzalloc(size, GFP_KERNEL); if (!devpriv->usb_rx_buf) return -ENOMEM; - size = usb_endpoint_maxp(devpriv->ep_tx); + size = max(usb_endpoint_maxp(devpriv->ep_tx), MIN_BUF_SIZE); devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); if (!devpriv->usb_tx_buf) return -ENOMEM; -- 2.17.1