This is a note to let you know that I've just added the patch titled USB: serial: garmin_gps: add sanity checking for data length to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: usb-serial-garmin_gps-add-sanity-checking-for-data-length.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From e9b3c610a05c1cdf8e959a6d89c38807ff758ee6 Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum@xxxxxxxx> Date: Wed, 15 Apr 2020 16:03:04 +0200 Subject: USB: serial: garmin_gps: add sanity checking for data length From: Oliver Neukum <oneukum@xxxxxxxx> commit e9b3c610a05c1cdf8e959a6d89c38807ff758ee6 upstream. We must not process packets shorter than a packet ID Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx> Reported-and-tested-by: syzbot+d29e9263e13ce0b9f4fd@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@xxxxxxxxxxxxxxx> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/serial/garmin_gps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/usb/serial/garmin_gps.c +++ b/drivers/usb/serial/garmin_gps.c @@ -1161,8 +1161,8 @@ static void garmin_read_process(struct g send it directly to the tty port */ if (garmin_data_p->flags & FLAGS_QUEUING) { pkt_add(garmin_data_p, data, data_length); - } else if (bulk_data || - getLayerId(data) == GARMIN_LAYERID_APPL) { + } else if (bulk_data || (data_length >= sizeof(u32) && + getLayerId(data) == GARMIN_LAYERID_APPL)) { spin_lock_irqsave(&garmin_data_p->lock, flags); garmin_data_p->flags |= APP_RESP_SEEN; Patches currently in stable-queue which might be from oneukum@xxxxxxxx are queue-4.14/usb-uas-add-quirk-for-lacie-2big-quadra.patch queue-4.14/usb-serial-garmin_gps-add-sanity-checking-for-data-length.patch