Re: [PATCH] usb: gadget: configfs: Prevent buffer overrun in usb_string_copy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Have done some testing. This issue cannot happen due to the protection
in `configfs_write_iter()`:

len = fill_write_buffer(buffer, from);
if (len > 0)
  len = flush_write_buffer(file, buffer, len);

Thanks for your patience,
Yiyuan

On Sat, Jul 1, 2023 at 3:48 AM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Fri, Jun 30, 2023 at 09:13:58PM +0800, yguoaz wrote:
> > This is an underrun issue found by a static analysis tool (under
> > research).
>
> Then you MUST follow our research rules in order to submit patches.
> Please read and follow them, otherwise we have to reject all of your
> submissions.
>
> > I suggest the patch because the code of usb_string_copy()
> > rejects strings with length greater than USB_MAX_STRING_LEN,
> > indicating a possibility for the input string `s` to contain unwanted
> > data (e.g., being empty). For the empty string case, the proposed
> > patch simply copies '\0' in `strcpy(str, s)` without touching index -1
> > of `str`.
> >
> > Whether `strlen(s)` could ever be zero in reality is up to the
> > maintainer's judgement, since I have not worked with the subsystem. So
> > please ignore the patch if it is ensured that `s` must be non-empty.
>
> Test it and see!
>
> good luck,
>
> greg k-h




[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux