USB: serial: ti_usb_3410_5052: fix array underflow in completion handler

commit 5dfdd24eb3d39d815bc952ae98128e967c9bba49 upstream. Similarly to a recently reported bug in io_ti, a malicious USB device could set port_number to a negative value and we would underflow the port array in the interrupt completion handler. As these devices only have one or two ports, fix this by making sure we only consider the seventh bit when determining the port number (and ignore bits 0xb0 which are typically set to 0x30). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Johan Hovold <johan@kernel.org> 2018-08-21 11:59:53 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-09-26 08:35:10 +0200
commit: 8b97b2ec3672471fa2b0a6242001280b9854ad8a (patch)
tree: 0399092f3792aba284158a71877f19982a72e59b
parent: 86312d58a9defcc840c8f68ff36d82130cb84c28 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/serial/ti_usb_3410_5052.h b/drivers/usb/serial/ti_usb_3410_5052.h
index 98f35c656c02..0cd247f75b8b 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.h
+++ b/drivers/usb/serial/ti_usb_3410_5052.h
@@ -227,7 +227,7 @@ struct ti_interrupt {
 } __attribute__((packed));
 
 /* Interrupt codes */
-#define TI_GET_PORT_FROM_CODE(c)	(((c) >> 4) - 3)
+#define TI_GET_PORT_FROM_CODE(c)	(((c) >> 6) & 0x01)
 #define TI_GET_FUNC_FROM_CODE(c)	((c) & 0x0f)
 #define TI_CODE_HARDWARE_ERROR		0xFF
 #define TI_CODE_DATA_ERROR		0x03
author	Johan Hovold <johan@kernel.org>	2018-08-21 11:59:53 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-09-26 08:35:10 +0200
commit	8b97b2ec3672471fa2b0a6242001280b9854ad8a (patch)
tree	0399092f3792aba284158a71877f19982a72e59b
parent	86312d58a9defcc840c8f68ff36d82130cb84c28 (diff)