On Mon, Aug 12, 2013 at 11:09:25AM -0700, Sean O. Stalley wrote: > rh_call_control() contains a buffer, tbuf, which it uses to hold > USB descriptors. These discriptors are eventually copied into the > transfer_buffer in the URB. The buffer in the URB is dynamically > defined and is always large enough to hold the amount of data it > requests. > > tbuf is currently statically allocated on the stack with a size > of 15 bytes, regardless of the size specified in the URB. > This patch dynamically allocates tbuf, and ensures that tbuf is > at least as big as the buffer in the URB. > > If an hcd attempts to write a descriptor containing more than > 15 bytes ( such as the Standard BOS Descriptor for hubs, defined > in the USB3.0 Spec, section 10.13.1 ) the write would overflow > the buffer and corrupt the stack. This patch addresses this > behavior. > > Acked-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > Signed-off-by: Sean O. Stalley <sean.stalley@xxxxxxxxx> > --- > drivers/usb/core/hcd.c | 24 +++++++++++++++++------- > 1 file changed, 17 insertions(+), 7 deletions(-) Applying this patch produces a complier warning that shows the patch is buggy: drivers/usb/core/hcd.c: In function ‘usb_hcd_submit_urb’: drivers/usb/core/hcd.c:704:7: warning: ‘tbuf’ may be used uninitialized in this function [-Wmaybe-uninitialized] drivers/usb/core/hcd.c:474:7: note: ‘tbuf’ was declared here gcc is correct here, please fix this, and _never_ ignore complier warnings. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
