Endpoint descriptors come in 2 sizes, struct usb_endpoint_descriptor being the largest. Take bLength into account to not copy past the endpoint descriptor end, which could be the next descriptor or past interface descriptor (by 2 bytes). Signed-off-by: Vincent Pelletier <plr.vincent@xxxxxxxxx> --- drivers/usb/gadget/function/f_fs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 5490fc51638e..c573c4425f10 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1230,7 +1230,8 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code, desc = epfile->ep->descs[desc_idx]; spin_unlock_irq(&epfile->ffs->eps_lock); - ret = copy_to_user((void *)value, desc, sizeof(*desc)); + ret = copy_to_user((void *)value, desc, + min(sizeof(*desc), (size_t)desc->bLength)); if (ret) ret = -EFAULT; return ret; -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
