usb: gadger: f_fs: Do not copy past descriptor end.
authorVincent Pelletier <plr.vincent@gmail.com>
Tue, 17 Jan 2017 13:20:11 +0000 (13:20 +0000)
committerFelipe Balbi <felipe.balbi@linux.intel.com>
Tue, 24 Jan 2017 09:04:23 +0000 (11:04 +0200)
Endpoint descriptors come in 2 sizes, struct usb_endpoint_descriptor being
the largest. Use bLength to stop on endpoint descriptor boundary, and not
2 bytes too far.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
drivers/usb/gadget/function/f_fs.c

index 5e746adc8a2d5416b7e1bcbeb8c41559716599b4..e126897a7faedcf7bf247f7e9714867b26cf3ddf 100644 (file)
@@ -1230,7 +1230,7 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code,
                        desc = epfile->ep->descs[desc_idx];
 
                        spin_unlock_irq(&epfile->ffs->eps_lock);
-                       ret = copy_to_user((void *)value, desc, sizeof(*desc));
+                       ret = copy_to_user((void *)value, desc, desc->bLength);
                        if (ret)
                                ret = -EFAULT;
                        return ret;