drivers/usb/wusbcore/devconnect.c +462 __wusbhc_keep_alive(34) error: buffer overflow 'ie->bDeviceAddress' 4 <= 5
439 for (cnt = 0;
440 keep_alives <= WUIE_ELT_MAX && cnt < wusbhc->ports_max;
^^^^^^^^^^^^^^^^^^^^^^^^^^^
This should be "keep_alives < WUIE_ELT_MAX".
441 cnt++) {
442 unsigned tt = msecs_to_jiffies(wusbhc->trust_timeout);
443
444 wusb_port = wusb_port_by_idx(wusbhc, cnt);
445 wusb_dev = wusb_port->wusb_dev;
446
447 if (wusb_dev == NULL)
448 continue;
449 if (wusb_dev->usb_dev == NULL || !wusb_dev->usb_dev->authenticated)
450 continue;
451
452 if (time_after(jiffies, wusb_dev->entry_ts + tt)) {
453 dev_err(dev, "KEEPALIVE: device %u timed out\n",
454 wusb_dev->addr);
455 __wusbhc_dev_disconnect(wusbhc, wusb_port);
456 } else if (time_after(jiffies, wusb_dev->entry_ts + tt/2)) {
457 /* Approaching timeout cut out, need to refresh */
458 ie->bDeviceAddress[keep_alives++] = wusb_dev->addr;
ie->bDeviceAddress has WUIE_ELT_MAX elements.
459 }
460 }
461 if (keep_alives & 0x1) /* pad to even number ([WUSB] section 7.5.9) */
462 ie->bDeviceAddress[keep_alives++] = 0x7f;
The case where keep_alives is too big should be handled at the
end of the array. I'm not sure how to do it.
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
