Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
GfA
/
linux_kernel
5
0
Салаа 0
Файлууд Асуудлууд 0 Хуулах хүсэлтүүд 0 Мэдлэгийн сан
Эх сурвалжийг харах

USB: devio: Don't corrupt user memory

The user buffer has "uurb->buffer_length" bytes.  If the kernel has more
information than that, we should truncate it instead of writing past
the end of the user's buffer.  I added a WARN_ONCE() to help the user
debug the issue.

Reported-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Carpenter 7 жил өмнө
parent
57999d1107
commit
fa1ed74eb1
1 өөрчлөгдсөн 5 нэмэгдсэн , 1 устгасан
Өөрчлөлтийг ялгаж харах Өөрчлөлтийн статистик харах
  1. 5 1
      drivers/usb/core/devio.c

+ 5 - 1
drivers/usb/core/devio.c
Файл харах 

@@ -1576,7 +1576,11 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
 
 			totlen += isopkt[u].length;
 
 		}
 
 		u *= sizeof(struct usb_iso_packet_descriptor);
 
-		uurb->buffer_length = totlen;
 
+		if (totlen <= uurb->buffer_length)
 
+			uurb->buffer_length = totlen;
 
+		else
 
+			WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d",
 
+				  totlen, uurb->buffer_length);
 
 		break;
 
 
 	default: