USB: whiteheat: Added bounds checking for bulk command response
authorJames Forshaw <forshaw@google.com>
Sat, 23 Aug 2014 21:39:48 +0000 (14:39 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 24 Aug 2014 19:15:08 +0000 (14:15 -0500)
commit6817ae225cd650fb1c3295d769298c38b1eba818
treed69bd853fbfce025a5f5b52af6085f61ae8e8808
parentc3d3af52904b789cecd5a3915f0593bdbdc8dc58
USB: whiteheat: Added bounds checking for bulk command response

This patch fixes a potential security issue in the whiteheat USB driver
which might allow a local attacker to cause kernel memory corrpution. This
is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On
EHCI and XHCI busses it's possible to craft responses greater than 64
bytes leading a buffer overflow.

Signed-off-by: James Forshaw <forshaw@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/serial/whiteheat.c