USB: serial: mct_u232: fix missing interrupt-in transfer sanity check

Add the missing sanity check on the size of interrupt-in transfers to avoid parsing stale or uninitialised slab data (and leaking it to user space). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Johan Hovold <johan@kernel.org>
author: Johan Hovold <johan@kernel.org> 2026-05-20 16:27:10 +0200
committer: Johan Hovold <johan@kernel.org> 2026-05-20 16:27:10 +0200
commit: 245aba83e3c288e176ed037a1f6b618b09e92ed8 (patch)
tree: f7e46e6cb23ba29ba66c6301200d3d33d401797a
parent: 915b36d701950503c4ea0f6e314b10868e59fce3 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index ca1530da6e77..163161881d2d 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -544,6 +544,11 @@ static void mct_u232_read_int_callback(struct urb *urb)
 		goto exit;
 	}
 
+	if (urb->actual_length < 2) {
+		dev_warn_ratelimited(&port->dev, "short interrupt-in packet\n");
+		goto exit;
+	}
+
 	/*
 	 * The interrupt-in pipe signals exceptional conditions (modem line
 	 * signal changes and errors). data[0] holds MSR, data[1] holds LSR.
author	Johan Hovold <johan@kernel.org>	2026-05-20 16:27:10 +0200
committer	Johan Hovold <johan@kernel.org>	2026-05-20 16:27:10 +0200
commit	245aba83e3c288e176ed037a1f6b618b09e92ed8 (patch)
tree	f7e46e6cb23ba29ba66c6301200d3d33d401797a
parent	915b36d701950503c4ea0f6e314b10868e59fce3 (diff)