rh_call_control() contains a buffer, tbuf, which it uses to hold USB descriptors. These discriptors are eventually copied into the transfer_buffer in the URB. The buffer in the URB is dynamically defined and is always large enough to hold the amount of data it requests. tbuf, however, is statically allocated on the stack with a size of 15 bytes, regardless of the size specified in the URB. When this buffer is passed to the hcd via the hub_control() call, it is advertized as being as large as the URB buffer ( via wLength ). when the hcd attempts to write a descriptor containing more than 15 bytes ( such as the Standard BOS Descriptor for hubs, defined in the USB3.0 Spec, section 10.13.1 ) causes tbuf to overflow onto the stack. This patchset includes 2 independant options, it is not necessary to apply both. Option 1 simply increases the size of tbuf, so that it can hold larger descriptors. Option 2 circumvents tbuf and passes nongeneric descriptors (such as BOS descriptors) directly to the buffer in the urb, preventing the overflow. A third option would be to rewrite the rh_call function. Sean O. Stalley (1): rh_call_control tbuf overflow fix Option 1: drivers/usb/core/hcd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) Option 2: drivers/usb/core/hcd.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) -- 1.8.1.2 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
