> On 04. 05. 22, 10:17, D. Starke wrote: > > From: Daniel Starke <daniel.starke@xxxxxxxxxxx> > > > > 'len' is decreased after each octet that has its EA bit set to 0, > > which means that the value is encoded with additional octets. However, > > the final octet does not decreases 'len' which results in 'len' being > > one byte too long. A buffer over-read may occur in > > tty_insert_flip_string() as it tries to read one byte more than the passed content size of 'data'. > > Decrease 'len' also for the final octet which has the EA bit set to 1 > > to write the correct number of bytes from the internal receive buffer > > to the virtual tty. > > > > Fixes: 2e124b4a390c ("TTY: switch tty_flip_buffer_push") > > That commit barely introduced the problem. You are right. It was introduced in commit e1eaea46bb40 ("tty: n_gsm line discipline") This patch was already included in the tty-linus branch. Shall I resubmit it nevertheless? Best regards, Daniel Starke