In usb_string_copy(), when `strlen(s) == 0`, `str[ret - 1]` accesses at index -1. Add a check to prevent buffer overrun when `s` is empty. Signed-off-by: Yiyuan Guo <yguoaz@xxxxxxxxx> --- drivers/usb/gadget/configfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c index 4c639e9ddedc..457dbc267964 100644 --- a/drivers/usb/gadget/configfs.c +++ b/drivers/usb/gadget/configfs.c @@ -127,7 +127,7 @@ static int usb_string_copy(const char *s, char **s_copy) return -ENOMEM; } strcpy(str, s); - if (str[ret - 1] == '\n') + if (ret && str[ret - 1] == '\n') str[ret - 1] = '\0'; *s_copy = str; return 0; -- 2.25.1
