> On 04. 05. 22, 10:17, D. Starke wrote:
> > From: Daniel Starke <daniel.starke@xxxxxxxxxxx>
> >
> > 'len' is decreased after each octet that has its EA bit set to 0,
> > which means that the value is encoded with additional octets. However,
> > the final octet does not decreases 'len' which results in 'len' being
> > one byte too long. A buffer over-read may occur in
> > tty_insert_flip_string() as it tries to read one byte more than the passed content size of 'data'.
> > Decrease 'len' also for the final octet which has the EA bit set to 1
> > to write the correct number of bytes from the internal receive buffer
> > to the virtual tty.
> >
> > Fixes: 2e124b4a390c ("TTY: switch tty_flip_buffer_push")
>
> That commit barely introduced the problem.
You are right. It was introduced in
commit e1eaea46bb40 ("tty: n_gsm line discipline")
This patch was already included in the tty-linus branch. Shall I resubmit it nevertheless?
Best regards,
Daniel Starke
