USB: whiteheat: Added bounds checking for bulk command response
authorJames Forshaw <forshaw@google.com>
Sat, 23 Aug 2014 21:39:48 +0000 (14:39 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 5 Sep 2014 23:34:17 +0000 (16:34 -0700)
commitebc8083c7fe92a2a4ab8eed0572882c3dfd3746a
tree59408ff45827abb7c6c8b3c9f93c26b132d75a80
parentf0fb2f24c10bdb4964d897ae9ec276e83d4e1a5a
USB: whiteheat: Added bounds checking for bulk command response

commit 6817ae225cd650fb1c3295d769298c38b1eba818 upstream.

This patch fixes a potential security issue in the whiteheat USB driver
which might allow a local attacker to cause kernel memory corrpution. This
is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On
EHCI and XHCI busses it's possible to craft responses greater than 64
bytes leading a buffer overflow.

Signed-off-by: James Forshaw <forshaw@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/serial/whiteheat.c