Re: [patch] usb: gadget: f_fs: signedness bug in __ffs_func_bind_do_descs()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 09 2014, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> We need "idx" to be signed for the error handling to work.
>
> Fixes: 6d5c1c77bbf9 ('usb: gadget: f_fs: fix the redundant ep files problem')

> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Acked-by: Michal Nazarewicz <mina86@xxxxxxxxxx>

> ---
> Btw, there is a sparse warning:
>
> drivers/usb/gadget/function/f_fs.c:401:44: warning: Variable length array is used.
>
> The risk here is that the array would be too large.  I don't know the
> code well enough to say if it can be triggered, but from an outsider
> perspective it looks scary (security implications).  There should be a
> comment explaining why it can't be used to overflow the 8k stack.

n in that function can be at most 4 and usb_functionfs_event is 20 bytes
long so this takes at most 80 bytes.  Having said that, I can prepare
a patch that converts the array to one with compile-time size if
desired.

>
> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> index 0dc3552..7ad7137 100644
> --- a/drivers/usb/gadget/function/f_fs.c
> +++ b/drivers/usb/gadget/function/f_fs.c
> @@ -2393,7 +2393,8 @@ static int __ffs_func_bind_do_descs(enum ffs_entity_type type, u8 *valuep,
>  	struct usb_endpoint_descriptor *ds = (void *)desc;
>  	struct ffs_function *func = priv;
>  	struct ffs_ep *ffs_ep;
> -	unsigned ep_desc_id, idx;
> +	unsigned ep_desc_id;
> +	int idx;
>  	static const char *speed_names[] = { "full", "high", "super" };
>  
>  	if (type != FFS_DESCRIPTOR)

-- 
Best regards,                                         _     _
.o. | Liege of Serenely Enlightened Majesty of      o' \,=./ `o
..o | Computer Science,  Michał “mina86” Nazarewicz    (o o)
ooo +--<mpn@xxxxxxxxxx>--<xmpp:mina86@xxxxxxxxxx>--ooO--(_)--Ooo--
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux