Commit fa1ed74e authored Sep 22, 2017 by Dan Carpenter Committed by Greg Kroah-Hartman Sep 25, 2017

USB: devio: Don't corrupt user memory



The user buffer has "uurb->buffer_length" bytes.  If the kernel has more
information than that, we should truncate it instead of writing past
the end of the user's buffer.  I added a WARN_ONCE() to help the user
debug the issue.

Reported-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 57999d11

drivers/usb/core/devio.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -1576,7 +1576,11 @@ static int proc_do_submiturb(struct usb_dev_state ps, struct usbdevfs_urb uurb
		totlen += isopkt[u].length;
		}
		u *= sizeof(struct usb_iso_packet_descriptor);
		if (totlen <= uurb->buffer_length)
		uurb->buffer_length = totlen;
		else
		WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d",
		totlen, uurb->buffer_length);
		break;

		default: