On Thu, 13 Jan 2011, David Brownell wrote: > --- On Thu, 1/13/11, Maulik Mankad <maulik@xxxxxx> wrote: > > > From: Maulik Mankad <maulik@xxxxxx> > > Subject: [PATCH] usb: gadget: composite: avoid access beyond array max length > > To: linux-usb@xxxxxxxxxxxxxxx > > Cc: "Maulik Mankad" <maulik@xxxxxx>, "David Brownell" <david-b@xxxxxxxxxxx>, "Greg Kroah-Hartman" <gregkh@xxxxxxx> > > Date: Thursday, January 13, 2011, 4:49 AM > > One of the USB CV MSC tests issues > > > Seems like a clear and new-ish bug (regression, as > I thought MSC tests had been run before). It doesn't look new to me, but then I haven't followed the history of composite.c very closely. Maybe nobody has tried running the CV MSC tests on the composite storage gadget before -- this bug lies in the composite framework core and so it wouldn't show up while testing standalone g_file_storage. > Alan, do you think you could make a bit of time to > review this fix to see if it can be bettered? > (My first reaction is that this catches the bug > pretty late ... but also, LUN handling isn't a > thing I know much about. This has nothing to do with LUN handling. It's a simple bug in the composite core; we need to validate the interface number in a Setup packet with USB_RECIP_INTERFACE. The failing test case had wIndex (the interface number) set to an out-of-bounds value. In fact, this patch simply copies the error checking from the USB_REQ_GET_INTERFACE and USB_REQ_SET_INTERFACE cases into the default case. It clearly is correct. (Possibly it might be better to separate out the interface check and do it before the rest of the processing, but none of the other gadget drivers do that AFAIK.) Acked-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
