If you parse a data structure you cannot
just test whether the remainder of your buffer holds
data. It needs to hold a full data structure.
Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx>
---
drivers/usb/core/config.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 50acc9021247..43c5ed256e6e 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -32,7 +32,7 @@ static int find_next_descriptor(unsigned char *buffer, int size,
unsigned char *buffer0 = buffer;
/* Find the next descriptor of type dt1 or dt2 */
- while (size > 0) {
+ while (size >= sizeof(struct usb_descriptor_header)) {
h = (struct usb_descriptor_header *) buffer;
if (h->bDescriptorType == dt1 || h->bDescriptorType == dt2)
break;
--
2.44.0
