Skip to content

L
linux
Commit 5baa19b3 authored by Paulo Marques's avatar Paulo Marques Committed by Deepak Saxena
Browse files
Options

[PATCH] USB: fix usblp.c 

The line that IMHO triggers the bug is this:

"writecount += usblp->writeurb->transfer_buffer_length;"

It uses "usblp->writeurb->transfer_buffer_length" before initializing it,
assuming that it will be zero on the first run. If it is not zero, but instead
random *negative* garbage from memory, the loop will start printing endless data
from user-space data.
parent 2a62f1e1
Show whitespace changes
Inline Side-by-side
Showing with 8 additions and 12 deletions
drivers/usb/class/usblp.c
View file @ 5baa19b3
......@@ -603,7 +603,7 @@ static ssize_t usblp_write(struct file *file, const char __user *buffer, size_t
{
DECLARE_WAITQUEUE(wait, current);
struct usblp *usblp = file->private_data;
int timeout, err = 0;
int timeout, err = 0, transfer_length;
size_t writecount = 0;
while (writecount < count) {
......@@ -654,19 +654,13 @@ static ssize_t usblp_write(struct file *file, const char __user *buffer, size_t
continue;
}
writecount += usblp->writeurb->transfer_buffer_length;
usblp->writeurb->transfer_buffer_length = 0;
if (writecount == count) {
up (&usblp->sem);
break;
}
transfer_length=(count - writecount);
if (transfer_length > USBLP_BUF_SIZE)
transfer_length = USBLP_BUF_SIZE;
usblp->writeurb->transfer_buffer_length = (count - writecount) < USBLP_BUF_SIZE ?
(count - writecount) : USBLP_BUF_SIZE;
usblp->writeurb->transfer_buffer_length = transfer_length;
if (copy_from_user(usblp->writeurb->transfer_buffer, buffer + writecount,
usblp->writeurb->transfer_buffer_length)) {
if (copy_from_user(usblp->writeurb->transfer_buffer, buffer + writecount, transfer_length)) {
up(&usblp->sem);
return writecount ? writecount : -EFAULT;
}
......@@ -683,6 +677,8 @@ static ssize_t usblp_write(struct file *file, const char __user *buffer, size_t
break;
}
up (&usblp->sem);
writecount += transfer_length;
}
return count;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7