| Message ID | 20250407130000.GD20970@altlinux.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | ueagle-atm: enforce boundary check for sync_wait[] | expand |
On Mon, Apr 07, 2025 at 04:00:00PM +0300, Alexey V. Vissarionov wrote: > After several increments of modem_index (e.g. after plugging and > removing the device several times) modem_index may reach NB_MODEM > value causing the out-of-boundary sync_wait[] array access. > > Found by ALT Linux Team (altlinux.org) and Linux Verification Center > (linuxtesting.org). > > Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver") > Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org> Acked-by: Stanislaw Gruszka <stf_xl@wp.pl> > --- > drivers/usb/atm/ueagle-atm.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/atm/ueagle-atm.c b/drivers/usb/atm/ueagle-atm.c > index cd0f7b4bd82ab132..436412b62c910e2f 100644 > --- a/drivers/usb/atm/ueagle-atm.c > +++ b/drivers/usb/atm/ueagle-atm.c > @@ -2500,7 +2500,9 @@ static int uea_bind(struct usbatm_data *usbatm, struct usb_interface *intf, > if (ifnum != UEA_INTR_IFACE_NO) > return -ENODEV; > > - usbatm->flags = (sync_wait[modem_index] ? 0 : UDSL_SKIP_HEAVY_INIT); > + usbatm->flags = > + modem_index < NB_MODEM && sync_wait[modem_index] ? > + 0 : UDSL_SKIP_HEAVY_INIT; > > /* interface 1 is for outbound traffic */ > ret = claim_interface(usb, usbatm, UEA_US_IFACE_NO); > > -- > Alexey V. Vissarionov > gremlin ПРИ altlinux ТЧК org; +vii-cmiii-ccxxix-lxxix-xlii > GPG: 0D92F19E1C0DC36E27F61A29CD17E2B43D879005 @ hkp://keys.gnupg.net
diff --git a/drivers/usb/atm/ueagle-atm.c b/drivers/usb/atm/ueagle-atm.c index cd0f7b4bd82ab132..436412b62c910e2f 100644 --- a/drivers/usb/atm/ueagle-atm.c +++ b/drivers/usb/atm/ueagle-atm.c @@ -2500,7 +2500,9 @@ static int uea_bind(struct usbatm_data *usbatm, struct usb_interface *intf, if (ifnum != UEA_INTR_IFACE_NO) return -ENODEV; - usbatm->flags = (sync_wait[modem_index] ? 0 : UDSL_SKIP_HEAVY_INIT); + usbatm->flags = + modem_index < NB_MODEM && sync_wait[modem_index] ? + 0 : UDSL_SKIP_HEAVY_INIT; /* interface 1 is for outbound traffic */ ret = claim_interface(usb, usbatm, UEA_US_IFACE_NO);
After several increments of modem_index (e.g. after plugging and removing the device several times) modem_index may reach NB_MODEM value causing the out-of-boundary sync_wait[] array access. Found by ALT Linux Team (altlinux.org) and Linux Verification Center (linuxtesting.org). Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver") Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org> --- drivers/usb/atm/ueagle-atm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)