CVE-2024-36016

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: n_gsm: fix possible out-of-bounds in gsm0_receive()<br /> <br /> Assuming the following:<br /> - side A configures the n_gsm in basic option mode<br /> - side B sends the header of a basic option mode frame with data length 1<br /> - side A switches to advanced option mode<br /> - side B sends 2 data bytes which exceeds gsm-&gt;len<br /> Reason: gsm-&gt;len is not used in advanced option mode.<br /> - side A switches to basic option mode<br /> - side B keeps sending until gsm0_receive() writes past gsm-&gt;buf<br /> Reason: Neither gsm-&gt;state nor gsm-&gt;len have been reset after<br /> reconfiguration.<br /> <br /> Fix this by changing gsm-&gt;count to gsm-&gt;len comparison from equal to less<br /> than. Also add upper limit checks against the constant MAX_MRU in<br /> gsm0_receive() and gsm1_receive() to harden against memory corruption of<br /> gsm-&gt;len and gsm-&gt;mru.<br /> <br /> All other checks remain as we still need to limit the data according to the<br /> user configuration and actual payload size.