On Thu, 8 Aug 2013, Sean O. Stalley wrote: > rh_call_control() contains a buffer, tbuf, which it uses to hold > USB descriptors. These discriptors are eventually copied into the > transfer_buffer in the URB. The buffer in the URB is dynamically > defined and is always large enough to hold the amount of data it > requests. > > tbuf is currently statically allocated on the stack with a size > of 15 bytes, regardless of the size specified in the URB. > This patch dynamically allocates tbuf, and ensures that tbuf is > at least as big as the buffer in the URB. > > If an hcd attempts to write a descriptor containing more than > 15 bytes ( such as the Standard BOS Descriptor for hubs, defined > in the USB3.0 Spec, section 10.13.1 ) the write would overflow > the buffer and corrupt the stack. This patch addresses this > behavior. > > Signed-off-by: Sean O. Stalley <sean.stalley@xxxxxxxxx> > @@ -494,6 +490,18 @@ static int rh_call_control (struct usb_hcd *hcd, struct urb *urb) > if (wLength > urb->transfer_buffer_length) > goto error; > > + /* > + * tbuf should be at least as big as the > + * USB hub descriptor. > + */ > + tbuf_size = max_t(u16, sizeof(struct usb_hub_descriptor), wLength); > + tbuf = kzalloc(tbuf_size, GFP_KERNEL); > + if (!tbuf) > + return -ENOMEM; > + > + bufp = tbuf; > + > + > urb->actual_length = 0; > switch (typeReq) { > > @@ -675,6 +683,7 @@ error: > urb->actual_length = len; > // always USB_DIR_IN, toward host > memcpy (ubuf, bufp, len); > + kfree(tbuf); > > /* report whether RH hardware supports remote wakeup */ > if (patch_wakeup && This deallocates tbuf when len > 0, but it leaks the memory when len is 0. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html