If the endpoint companion descriptor is not the first descriptor in the extra descriptor buffer of a usb_host_endpoint, the loop in rpipe_epc_find will get its buffer pointer and remaining size values out of sync. The buffer ptr 'itr' is advanced by the descriptor's bLength field but the remaining size value 'itr_size' is decremented by the bDescriptorType field which is incorrect. This patch fixes the loop to decrement itr_size by bLength as it should. Signed-off-by: Thomas Pugliese <thomas.pugliese@xxxxxxxxx> --- drivers/usb/wusbcore/wa-rpipe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/wusbcore/wa-rpipe.c b/drivers/usb/wusbcore/wa-rpipe.c index 6ca80a4..6d6da12 100644 --- a/drivers/usb/wusbcore/wa-rpipe.c +++ b/drivers/usb/wusbcore/wa-rpipe.c @@ -298,7 +298,7 @@ static struct usb_wireless_ep_comp_descriptor *rpipe_epc_find( break; } itr += hdr->bLength; - itr_size -= hdr->bDescriptorType; + itr_size -= hdr->bLength; } out: return epcd; -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
