USB: cxacru: check data length is not negative

When attempting to read data that is not actually
an array of values, the length may be negative
which causes an Oops due to a likely access off
the end of the data array.

This bug should not occur under normal use unless
the device returns an invalid response.

Signed-off-by: Simon Arlott <simon@fire.lp0.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c
index 4a26a6c..8da4a06 100644 (file)
--- a/drivers/usb/atm/cxacru.c
+++ b/drivers/usb/atm/cxacru.c
@@ -596,7 +596,7 @@ static int cxacru_cm_get_array(struct cxacru_data *instance, enum cxacru_cm_requ
        len = ret / 4;
        for (offb = 0; offb < len; ) {
                int l = le32_to_cpu(buf[offb++]);
-               if (l > stride || l > (len - offb) / 2) {
+               if (l < 0 || l > stride || l > (len - offb) / 2) {
                        if (printk_ratelimit())
                                usb_err(instance->usbatm, "invalid data length from cm %#x: %d\n",
                                        cm, l);