Do not scribble past end of buffer. Check if the userspace buffer has
enough space available before attempting to move more data there. Throw
away all previously read data if the buffer is full.
Cc: stable <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Bjørn Mork <bjorn@xxxxxxx>
---
Hello Oliver!
I hope I am missing something here...
This is otherwise a pretty nasty bug which I cannot understand we
didn't notice before. What am I missing?
Bjørn
drivers/usb/class/cdc-wdm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
index 5f0cb41..e58bfd0 100644
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -186,6 +186,12 @@ static void wdm_in_callback(struct urb *urb)
desc->rerr = status;
desc->reslength = urb->actual_length;
+
+ /* throw away all old data if the user space buffer is full */
+ if (desc->length + desc->reslength > desc->wMaxCommand) {
+ dev_dbg(&desc->intf->dev, "throwing away %d bytes\n", desc->length);
+ desc->length = 0;
+ }
memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
desc->length += desc->reslength;
skip_error:
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
