projects / GitHub / LineageOS / G12 / android_kernel_amlogic_linux-4.9.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2e94f8c) | patch
usb: gadget: composite: fix incorrect handling of OS desc requests
authorChris Dickens <christopher.a.dickens@gmail.com>
Mon, 1 Jan 2018 02:59:42 +0000 (18:59 -0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 25 May 2018 14:13:04 +0000 (16:13 +0200)
commitbf54f31e1fbe656cd8fea7a54404296e6077f9e9
tree70860abef2cb1e048d52448e47e06b76f30e8113tree | snapshot (tar.gz zip)
parent2e94f8cde34742ccfe9642ac42d31bbe76d1e77dcommit | diff
usb: gadget: composite: fix incorrect handling of OS desc requests

[ Upstream commit 5d6ae4f0da8a64a185074dabb1b2f8c148efa741 ]

When handling an OS descriptor request, one of the first operations is
to zero out the request buffer using the wLength from the setup packet.
There is no bounds checking, so a wLength > 4096 would clobber memory
adjacent to the request buffer. Fix this by taking the min of wLength
and the request buffer length prior to the memset. While at it, define
the buffer length in a header file so that magic numbers don't appear
throughout the code.

When returning data to the host, the data length should be the min of
the wLength and the valid data we have to return. Currently we are
returning wLength, thus requests for a wLength greater than the amount
of data in the OS descriptor buffer would return invalid (albeit zero'd)
data following the valid descriptor data. Fix this by counting the
number of bytes when constructing the data and using this when
determining the length of the request.

Signed-off-by: Chris Dickens <christopher.a.dickens@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/gadget/composite.c diff | blob | blame | history
include/linux/usb/composite.h diff | blob | blame | history