On Tue, Sep 09, 2014 at 06:37:02PM +0200, Michal Nazarewicz wrote: > On Tue, Sep 09 2014, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > > On Tue, Sep 09, 2014 at 03:57:26PM +0200, Michal Nazarewicz wrote: > >> On Tue, Sep 09 2014, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > >> > Btw, there is a sparse warning: > >> > > >> > drivers/usb/gadget/function/f_fs.c:401:44: warning: Variable length array is used. > >> > > >> > The risk here is that the array would be too large. I don't know the > >> > code well enough to say if it can be triggered, but from an outsider > >> > perspective it looks scary (security implications). There should be a > >> > comment explaining why it can't be used to overflow the 8k stack. > >> > >> n in that function can be at most 4 > > > > I looked for where this limit is set but couldn't figure it out. Which > > function is it? > > The limit is never explicitly set, but logic in this function guarantees > it: > Ok. Thanks. I maybe could have found this on my own because I store this sort of information in Smatch except that "ev" is an anonymous struct. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
