Refactor read-urb processing, and add sanity checks on header and data lengths. Signed-off-by: Johan Hovold <jhovold@xxxxxxxxx> --- drivers/usb/serial/omninet.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/drivers/usb/serial/omninet.c b/drivers/usb/serial/omninet.c index 9dcaa77..7aaf969 100644 --- a/drivers/usb/serial/omninet.c +++ b/drivers/usb/serial/omninet.c @@ -158,11 +158,26 @@ static void omninet_close(struct usb_serial_port *port) #define OMNINET_BULKOUTSIZE 64 #define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN) +static void omninet_process_read_urb(struct urb *urb) +{ + struct usb_serial_port *port = urb->context; + const struct omninet_header *hdr = urb->transfer_buffer; + const unsigned char *data; + size_t data_len; + + if (urb->actual_length <= OMNINET_HEADERLEN || !hdr->oh_len) + return; + + data = (char *)urb->transfer_buffer + OMNINET_HEADERLEN; + data_len = min_t(size_t, urb->actual_length - OMNINET_HEADERLEN, + hdr->oh_len); + tty_insert_flip_string(&port->port, data, data_len); + tty_flip_buffer_push(&port->port); +} + static void omninet_read_bulk_callback(struct urb *urb) { struct usb_serial_port *port = urb->context; - unsigned char *data = urb->transfer_buffer; - struct omninet_header *header = (struct omninet_header *) &data[0]; int status = urb->status; int result; @@ -172,11 +187,7 @@ static void omninet_read_bulk_callback(struct urb *urb) return; } - if (urb->actual_length && header->oh_len) { - tty_insert_flip_string(&port->port, data + OMNINET_HEADERLEN, - header->oh_len); - tty_flip_buffer_push(&port->port); - } + omninet_process_read_urb(urb); /* Continue trying to always read */ result = usb_submit_urb(urb, GFP_ATOMIC); -- 1.8.1.5 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html