Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp1745219iof; Tue, 7 Jun 2022 10:40:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx+pHtsmOK9xbX591HE5ZYbiNAPwmf+p4/ple10iCgfEGxp9VYvZPrLUafoxPjseL9evsWz X-Received: by 2002:a05:6402:528a:b0:42d:e116:fab8 with SMTP id en10-20020a056402528a00b0042de116fab8mr34093714edb.134.1654623609935; Tue, 07 Jun 2022 10:40:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654623609; cv=none; d=google.com; s=arc-20160816; b=F0ieu2yKbNdZIlLkIopNIKb3CRJOr5v0Vwq+89VrXFQcN3BthN00BfAZhgIDZ8T2IC 9A6cEmK638mQbrOP63TJh8lr1G/Yz+WEk+3TdXUQTeGuc3ngfrUiUmCIC72eA/c/Hs27 jrX84B/VVzbgMaJxPqZc9vYBDehoGD0js9y4dLJ2nVgSWhpHPIpAUxmldmKK3HCJ3b7q nRWuD2BQ3hul+E0hIjpZTRTqpB7nkTLTiFjyzkphBsNB6AUjVPk+PxysYXpvz1i0E/wi 387JUlXi1xwG1qTRuqRYBQ6T9X7qOTYe0V73nuEzg8SXLQSRzhSz2h8M4OpbqDEhqSVM R+dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:to:from; bh=132F4dZP4tAGv8ANHZtef4f7MOCL0mIY6FVaZV694/w=; b=zPY1O77rOmBdNbQdiPZE44Fxpn6dYciPj8Ok+YetlIB3aERwB7XtxJKsaL4OqJBqSU Pqc2XDeUsODwnRF9zTdNePRoBsTb7joUqI1TSrf1xLnY80Y8WH91L6F1DIgzEFWM2TUe SJqQrFGMThIxTM8BLQIjNGEXvok2NSjkJnipEG30UUYVj7Mt6cxdMsSmFGgQDSemF+Kq CqMyaeFaeMH7j0F6V8Kb8jNr+x7l8dc1NqnmCP0IZHRqPuwQvqCFt259pHmax494767i o2p7QBuzw0jOlxiSNq7pbHtm98AWs1GglUQ1sm66F93OSF0RyQGoqvEuz/UZYPKJpbcJ BVOw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ruc.edu.cn Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e19-20020a056402149300b0042ad145b87fsi11062475edv.305.2022.06.07.10.39.42; Tue, 07 Jun 2022 10:40:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ruc.edu.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244963AbiFGNrp (ORCPT + 99 others); Tue, 7 Jun 2022 09:47:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244898AbiFGNrb (ORCPT ); Tue, 7 Jun 2022 09:47:31 -0400 Received: from smtp.ruc.edu.cn (m177126.mail.qiye.163.com [123.58.177.126]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A3DD2275D5 for ; Tue, 7 Jun 2022 06:47:28 -0700 (PDT) Received: from localhost.localdomain (unknown [202.112.113.212]) by smtp.ruc.edu.cn (Hmail) with ESMTPSA id 142AB80053; Tue, 7 Jun 2022 21:47:26 +0800 (CST) From: Xiaohui Zhang To: Xiaohui Zhang , Ian Abbott , H Hartley Sweeten , Greg Kroah-Hartman , Johan Hovold , linux-kernel@vger.kernel.org Subject: [PATCH V2 1/1] comedi: ni_usb6501: fix transfer-buffer overflows Date: Tue, 7 Jun 2022 21:47:20 +0800 Message-Id: <20220607134720.6343-1-xiaohuizhang@ruc.edu.cn> X-Mailer: git-send-email 2.17.1 X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgPGg8OCBgUHx5ZQUlOS1dZCBgUCR5ZQVlLVUtZV1 kWDxoPAgseWUFZKDYvK1lXWShZQUhPN1dZLVlBSVdZDwkaFQgSH1lBWRpKSUpWGE9MThgaSB8eTx 5NVRMBExYaEhckFA4PWVdZFhoPEhUdFFlBWU9LSFVKSktISkNVS1kG X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6PRA6Eww*Cj09MRcYEU81Swsq L0wKCyhVSlVKTU5PTUtCTU9NTE1MVTMWGhIXVQMSGhQTDhIBExoVHDsJDhhVHh8OVRgVRVlXWRIL WUFZSUtJVUpKSVVKSkhVSUpJWVdZCAFZQUlOT0k3Bg++ X-HM-Tid: 0a813e6b92d52c20kusn142ab80053 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Similar to the handling of vmk80xx_alloc_usb_buffers in commit a23461c47482("comedi: vmk80xx: fix transfer-buffer overflows"), we thought a patch might be needed here as well. The driver uses endpoint-sized USB transfer buffers but up until recently had no sanity checks on the sizes. --- Fix the typo in the last bit of the old patch which use the wrong endpoint to determine the size for usb_tx_buf. Signed-off-by: Xiaohui Zhang --- drivers/comedi/drivers/ni_usb6501.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/comedi/drivers/ni_usb6501.c b/drivers/comedi/drivers/ni_usb6501.c index 0dd9edf7bced..8303bfc305c5 100644 --- a/drivers/comedi/drivers/ni_usb6501.c +++ b/drivers/comedi/drivers/ni_usb6501.c @@ -90,6 +90,7 @@ #include #define NI6501_TIMEOUT 1000 +#define MIN_BUF_SIZE 64 /* Port request packets */ static const u8 READ_PORT_REQUEST[] = {0x00, 0x01, 0x00, 0x10, @@ -459,12 +460,12 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev) struct ni6501_private *devpriv = dev->private; size_t size; - size = usb_endpoint_maxp(devpriv->ep_rx); + size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE); devpriv->usb_rx_buf = kzalloc(size, GFP_KERNEL); if (!devpriv->usb_rx_buf) return -ENOMEM; - size = usb_endpoint_maxp(devpriv->ep_tx); + size = max(usb_endpoint_maxp(devpriv->ep_tx), MIN_BUF_SIZE); devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); if (!devpriv->usb_tx_buf) return -ENOMEM; -- 2.17.1