This is an underrun issue found by a static analysis tool (under research). I suggest the patch because the code of usb_string_copy() rejects strings with length greater than USB_MAX_STRING_LEN, indicating a possibility for the input string `s` to contain unwanted data (e.g., being empty). For the empty string case, the proposed patch simply copies '\0' in `strcpy(str, s)` without touching index -1 of `str`. Whether `strlen(s)` could ever be zero in reality is up to the maintainer's judgement, since I have not worked with the subsystem. So please ignore the patch if it is ensured that `s` must be non-empty. Thanks, Yiyuan On Fri, Jun 30, 2023 at 8:17 PM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > On Fri, Jun 30, 2023 at 07:04:01PM +0800, Yiyuan Guo wrote: > > In usb_string_copy(), when `strlen(s) == 0`, `str[ret - 1]` accesses at > > index -1. Add a check to prevent buffer overrun when `s` is empty. > > It's an underrun, right? > > And how can strlen(s) ever be 0 here? > > How did you test this and how did you trigger it? > > And what commit id does this fix? > > And how was this found? > > thanks, > > greg k-h
