Oliver Neukum <oliver@xxxxxxxxxx> writes: > @@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb *urb) > } > > desc->rerr = status; > - desc->reslength = urb->actual_length; > - memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); > - desc->length += desc->reslength; > + if (length + desc->length > desc->wMaxCommand) { > + /* The buffer would overflow */ > + set_bit(WDM_OVERFLOW, &desc->flags); > + } else { > + /* we may already be in overflow */ > + if (!test_bit(WDM_OVERFLOW, &desc->flags)) { > + memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); > + desc->length += length; > + desc->reslength = length; > + } This is not OK. Should probably be memmove(desc->ubuf + desc->length, desc->inbuf, length); ? Bjørn -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html