A malicious USB device could set port_number to -3 and we would
underflow the edge_serial->serial->port[] array.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <[email protected]>
diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index 6d1d6efa3055..fa2af18c6efe 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -1629,7 +1629,7 @@ static void edge_interrupt_callback(struct urb *urb)
struct device *dev;
unsigned char *data = urb->transfer_buffer;
int length = urb->actual_length;
- int port_number;
+ unsigned int port_number;
int function;
int retval;
__u8 lsr;
