The patch titled usb gadget: Read buffer overflow has been added to the -mm tree. Its filename is usb-gadget-read-buffer-overflow.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find out what to do about this The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/ ------------------------------------------------------ Subject: usb gadget: Read buffer overflow From: Roel Kluin <roel.kluin@xxxxxxxxx> Check whether index is within bounds before testing the element. Signed-off-by: Roel Kluin <roel.kluin@xxxxxxxxx> Cc: David Brownell <david-b@xxxxxxxxxxx> Cc: Greg KH <greg@xxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- drivers/usb/gadget/composite.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN drivers/usb/gadget/composite.c~usb-gadget-read-buffer-overflow drivers/usb/gadget/composite.c --- a/drivers/usb/gadget/composite.c~usb-gadget-read-buffer-overflow +++ a/drivers/usb/gadget/composite.c @@ -602,7 +602,7 @@ static int get_string(struct usb_composi } } - for (len = 0; s->wData[len] && len <= 126; len++) + for (len = 0; len <= 126 && s->wData[len]; len++) continue; if (!len) return -EINVAL; _ Patches currently in -mm which might be from roel.kluin@xxxxxxxxx are linux-next.patch x86-fix-buffer-overflow-in-efi_init.patch s3c-fix-check-of-index-into-s3c_gpios.patch stmp3xxx-deallocation-with-negative-index-of-descriptors.patch dm-strncpy-does-not-null-terminate-string.patch powerpc-sky-cpu-redundant-or-incorrect-tests-on-unsigned.patch powerpc-fsl-booke-read-buffer-overflow.patch media-strncpy-does-not-null-terminate-string.patch siano-read-buffer-overflow.patch drivers-media-video-bw-qcamc-fix-read-buffer-overflow.patch stk-webcam-read-buffer-overflow.patch hid-fix-read-buffer-overflow.patch ipath-strncpy-does-not-null-terminate-string.patch mips-decrease-size-of-au1xxx_dbdma_pm_regs.patch mips-read-buffer-overflow.patch slram-read-buffer-overflow.patch slram-read-buffer-overflow-cleanup.patch mtd-fix-read-buffer-overflow.patch irda-fix-read-buffer-overflow.patch atlx-strncpy-does-not-null-terminate-string.patch ext4-remove-redundant-test-on-unsigned.patch ocfs2-keep-index-within-status_map.patch drivers-parisc-pdc_stablec-fix-read-buffer-overflow.patch cyclades-read-buffer-overflow.patch drivers-scsi-fnic-fnic_scsic-clean-up.patch ibmmca-buffer-overflow.patch scsi-eata-fix-buffer-overflow.patch drivers-scsi-gdthc-fix-buffer-overflow.patch drivers-scsi-iprh-fix-buffer-overflow.patch drivers-scsi-u14-34fc-fix-uffer-overflow.patch drivers-scsi-lpfc-lpfc_vportc-fix-read-buffer-overflow.patch libertas-read-buffer-overflow.patch i915-fix-read-outside-array-bounds.patch frv-duplicate-output_buffer-of-e03.patch frv-duplicate-output_buffer-of-e03-checkpatch-fixes.patch arch-alpha-boot-tools-objstripc-wrong-variable-tested-after-open.patch m32r-remove-redundant-tests-on-unsigned.patch m68k-count-can-reach-51-not-50.patch m68k-cnt-reaches-1-not-0.patch dme1737-keep-index-within-pwm_config.patch ncpfs-read-buffer-overflow.patch smbfs-read-buffer-overflow.patch platinumfb-misplaced-parenthesis.patch sisfb-read-buffer-overflow.patch drivers-video-console-newport_conc-fix-read-outside-array-bounds.patch adfs-remove-redundant-test-on-unsigned.patch osst-fix-read-buffer-overflow.patch usb-gadget-read-buffer-overflow.patch perf-fix-read-buffer-overflow.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html