On Mon, Jul 24, 2023 at 04:24:55PM +0200, Oliver Neukum wrote:
> On 24.07.23 15:52, Johan Hovold wrote:
>
> >
> > This patch is neither correct or needed. The current implementation sets
> >
> > buf->bMaxPacketSize0 = 0
> >
> > before reading the descriptor and makes sure that that field is non-zero
> > before accessing buf->bDescriptorType which lies before bMaxPacketSize0.
> >
> > It may be subtle, but it looks correct.
>
> True, but I am afraid not sufficient. It neglects the case of getting
> a partial read. That is
>
> buf->bMaxPacketSize0
>
> can be genuine, but the later test
> if (buf->bDescriptorType ==
> USB_DT_DEVICE) {
>
> still spuriously succeed
How can it? bDescriptorType is at the start of the device descriptor,
whereas bMaxPacketSize0 is more towards the end. If the later part get
transferred from the device, the earlier part must have been transferred
as well. Even if the transfer was short.
Alan Stern
