summaryrefslogtreecommitdiff
path: root/Documentation/maintainer
diff options
context:
space:
mode:
authorChris Dickens <christopher.a.dickens@gmail.com>2018-01-01 05:59:42 +0300
committerFelipe Balbi <felipe.balbi@linux.intel.com>2018-03-08 16:12:01 +0300
commit5d6ae4f0da8a64a185074dabb1b2f8c148efa741 (patch)
treed61dd8340070101c7c1cdba2d917b78faa885232 /Documentation/maintainer
parentf3768997013e1c7d625ca427150644f80eb5900e (diff)
downloadlinux-5d6ae4f0da8a64a185074dabb1b2f8c148efa741.tar.xz
usb: gadget: composite: fix incorrect handling of OS desc requests
When handling an OS descriptor request, one of the first operations is to zero out the request buffer using the wLength from the setup packet. There is no bounds checking, so a wLength > 4096 would clobber memory adjacent to the request buffer. Fix this by taking the min of wLength and the request buffer length prior to the memset. While at it, define the buffer length in a header file so that magic numbers don't appear throughout the code. When returning data to the host, the data length should be the min of the wLength and the valid data we have to return. Currently we are returning wLength, thus requests for a wLength greater than the amount of data in the OS descriptor buffer would return invalid (albeit zero'd) data following the valid descriptor data. Fix this by counting the number of bytes when constructing the data and using this when determining the length of the request. Signed-off-by: Chris Dickens <christopher.a.dickens@gmail.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Diffstat (limited to 'Documentation/maintainer')
0 files changed, 0 insertions, 0 deletions