On Fri, 25 Oct 2013, Huang Rui wrote: > On Mon, Oct 21, 2013 at 11:57:32AM -0400, Alan Stern wrote: > > On Mon, 21 Oct 2013, Huang Rui wrote: > > > > > + /* > > > + * get generic device-level capability descriptors [9.6.2] > > > + * in USB 3.0 spec > > > + */ > > > + retval = usb_get_descriptor(udev, USB_DT_BOS, 0, dev->buf, > > > + total); > > > > This exposes the kernel to a buffer overflow bug. Remember, dev->buf > > is only 256 bytes long. What happens if total > 256? > > > > Do you mean I should allocate a buffer with "total" size? Or if > "total" > 256, I set a dev_err then return? I mean that if total > 256 then you should set total = 256. (Except that you should use TBUF_SIZE, not 256, in your code.) > A question, I think "total" doesn't larger than 256. Because at > current, there are only four device capability types such as > Wireless_USB, USB 2.0 EXETENSION, Superspeed_USB, CONTAINER_ID, do > you mean there might be more desciptors added in future? There might be more descriptors in the future. Or total might be > 256 simply because of a bug in the device's firmware. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
