From a6c042f95031afbeb0b0fb77643bc9211a3f2e2e Mon Sep 17 00:00:00 2001
From: Johan Hovold <jhovold@gmail.com>
Date: Tue, 16 Apr 2013 18:01:22 +0200
Subject: [PATCH] USB: omninet: refactor read-urb processing

Refactor read-urb processing, and add sanity checks on header and data
lengths.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/omninet.c | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/serial/omninet.c b/drivers/usb/serial/omninet.c
index 9dcaa7727de5..7aaf9692b334 100644
--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -158,11 +158,26 @@ static void omninet_close(struct usb_serial_port *port)
 #define OMNINET_BULKOUTSIZE	64
 #define OMNINET_PAYLOADSIZE	(OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN)
 
+static void omninet_process_read_urb(struct urb *urb)
+{
+	struct usb_serial_port *port = urb->context;
+	const struct omninet_header *hdr = urb->transfer_buffer;
+	const unsigned char *data;
+	size_t data_len;
+
+	if (urb->actual_length <= OMNINET_HEADERLEN || !hdr->oh_len)
+		return;
+
+	data = (char *)urb->transfer_buffer + OMNINET_HEADERLEN;
+	data_len = min_t(size_t, urb->actual_length - OMNINET_HEADERLEN,
+								hdr->oh_len);
+	tty_insert_flip_string(&port->port, data, data_len);
+	tty_flip_buffer_push(&port->port);
+}
+
 static void omninet_read_bulk_callback(struct urb *urb)
 {
 	struct usb_serial_port 	*port 	= urb->context;
-	unsigned char 		*data 	= urb->transfer_buffer;
-	struct omninet_header 	*header = (struct omninet_header *) &data[0];
 	int status = urb->status;
 	int result;
 
@@ -172,11 +187,7 @@ static void omninet_read_bulk_callback(struct urb *urb)
 		return;
 	}
 
-	if (urb->actual_length && header->oh_len) {
-		tty_insert_flip_string(&port->port, data + OMNINET_HEADERLEN,
-				header->oh_len);
-		tty_flip_buffer_push(&port->port);
-	}
+	omninet_process_read_urb(urb);
 
 	/* Continue trying to always read  */
 	result = usb_submit_urb(urb, GFP_ATOMIC);
-- 
2.20.1