forked from mirrors/linux
USB: devio: Don't corrupt user memory
The user buffer has "uurb->buffer_length" bytes. If the kernel has more information than that, we should truncate it instead of writing past the end of the user's buffer. I added a WARN_ONCE() to help the user debug the issue. Reported-by: Alan Stern <stern@rowland.harvard.edu> Cc: stable <stable@vger.kernel.org> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Dan Carpenter
Greg Kroah-Hartman
parent
57999d1107
commit
fa1ed74eb1
1 changed files with 5 additions and 1 deletions
|
|
@ -1576,7 +1576,11 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
|
|||
totlen += isopkt[u].length;
|
||||
}
|
||||
u *= sizeof(struct usb_iso_packet_descriptor);
|
||||
if (totlen <= uurb->buffer_length)
|
||||
uurb->buffer_length = totlen;
|
||||
else
|
||||
WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d",
|
||||
totlen, uurb->buffer_length);
|
||||
break;
|
||||
|
||||
default:
|
||||
|
|
|
|||
Loading…
Reference in a new issue