[PATCH] USB: serial: io_ti: array underflow in edge_interrupt_callback()

Tue, 14 Aug 2018 02:08:05 -0700 

A malicious USB device could set port_number to -3 and we would
underflow the edge_serial->serial->port[] array.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index 6d1d6efa3055..fa2af18c6efe 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -1629,7 +1629,7 @@ static void edge_interrupt_callback(struct urb *urb)
        struct device *dev;
        unsigned char *data = urb->transfer_buffer;
        int length = urb->actual_length;
-       int port_number;
+       unsigned int port_number;
        int function;
        int retval;
        __u8 lsr;

Reply via email to