Greg:
This is a very minor point, unlikely ever to come up. But just in case...
It's conceivable that a device might transmit different values for a
configuration descriptor's wTotalLength the first time we ask for it (in
order to get the length) and the second time (to get the entire
descriptor). Should that improbable event occur, the rawdescriptor buffer
could be allocated using a size that's smaller than the length recorded in
the rawdescriptor itself. This patch protects devio.c against such a
problem.
If you feel this sequence of events is too unlikely to worry about, then
don't bother to apply the patch.
Alan Stern
===== devio.c 1.88 vs edited =====
--- 1.88/drivers/usb/core/devio.c Wed Mar 17 14:16:46 2004
+++ edited/drivers/usb/core/devio.c Fri Mar 19 15:55:45 2004
@@ -124,14 +124,25 @@
unsigned int length = le16_to_cpu(config->wTotalLength);
if (*ppos < pos + length) {
+
+ /* The descriptor may claim to be longer than it
+ * really is. Here is the actual allocated length. */
+ unsigned alloclen =
+ ps->dev->config[i].desc.wTotalLength;
+
len = length - (*ppos - pos);
if (len > nbytes)
len = nbytes;
- if (copy_to_user(buf,
- ps->dev->rawdescriptors[i] + (*ppos - pos), len)) {
- ret = -EFAULT;
- goto err;
+ /* Simply don't write (skip over) unallocated parts */
+ if (alloclen > (*ppos - pos)) {
+ alloclen -= (*ppos - pos);
+ if (copy_to_user(buf,
+ ps->dev->rawdescriptors[i] + (*ppos - pos),
+ min(len, alloclen))) {
+ ret = -EFAULT;
+ goto err;
+ }
}
*ppos += len;
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
