Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 7453ecf4 authored by Lee Jones's avatar Lee Jones Committed by Lee Jones
Browse files

UPSTREAM: usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() 



commit 6d3c721e686ea6c59e18289b400cc95c76e927e0 upstream.

Userspace provided string 's' could trivially have the length zero. Left
unchecked this will firstly result in an OOB read in the form
`if (str[0 - 1] == '\n') followed closely by an OOB write in the form
`str[0 - 1] = '\0'`.

There is already a validating check to catch strings that are too long.
Let's supply an additional check for invalid strings that are too short.

Bug: 346754046
Signed-off-by: default avatarLee Jones <lee@kernel.org>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20240705074339.633717-1-lee@kernel.org


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit d1205033e912f9332c1dbefa812e6ceb0575ce0a)
Signed-off-by: default avatarLee Jones <joneslee@google.com>
Change-Id: Id9a34f3e5495aef0d2a800a1386210f4d9fa8116
parent 56e07d95
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment