On Mon, Sep 08, 2014 at 01:32:33PM +0200, Johan Hovold wrote: > On Fri, Sep 05, 2014 at 06:17:57PM +0300, Octavian Purdila wrote: > > +static int _dln2_transfer(struct dln2_dev *dln2, u16 handle, u16 cmd, > > + void *obuf, int obuf_len, void *ibuf, int *ibuf_len) > > +{ <snip> > > + /* if we got here we know that the response header has been checked */ > > + rsp = rxc->urb->transfer_buffer; > > + result = le16_to_cpu(rsp->result); > > Yes, but you haven't verified that rsp->hdr.size > 0, so you may still > be reading stale data. I meant that you haven't verified that the payload size > 1 (the header size is included in rsp->hdr.size and result is two byte wide). > > + > > + if (result) { > > + dev_dbg(dev, "%d received response with error %d\n", > > + handle, result); > > + ret = -EREMOTEIO; > > + goto out_free_rx_slot; > > + } > > + > > + if (!ibuf) { > > + ret = 0; > > + goto out_free_rx_slot; > > + } > > + > > + if (*ibuf_len > rxc->urb->actual_length - sizeof(*rsp)) > > + *ibuf_len = rxc->urb->actual_length - sizeof(*rsp); > > And then you get an underflow here, although that doesn't seem to cause > any troubles in this case. Unless ibuf_len is -1... > But why isn't ibuf_len unsigned? > > > + > > + memcpy(ibuf, rsp + 1, *ibuf_len); > > + > > +out_free_rx_slot: > > + free_rx_slot(dln2, rxs, rx_slot); > > + > > + return ret; > > +} Johan -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html