On 20/02/15 19:52, H Hartley Sweeten wrote:
usb_blk_msg() will return the passed 'len' (64) as the 'actual_len' (cnt) of
That's usb_bulk_msg().
the transfer. The addition of the '\0' to the end of the returned string will
overrun the 'rx' array. Increase the array size by 1 to fix the
On 23/02/15 19:53, Hartley Sweeten wrote:
Actually, since the information is just used in kernel log messages can we
just remove it?
I suppose so.
--
-=( Ian Abbott @ MEV Ltd.E-mail: abbo...@mev.co.uk )=-
-=( Web: http://www.mev.co.uk/ )=-
usb_blk_msg() will return the passed 'len' (64) as the 'actual_len' (cnt) of
the transfer. The addition of the '\0' to the end of the returned string will
overrun the 'rx' array. Increase the array size by 1 to fix the out-of-bounds
write.
Reported-by: coverity (CID 711413)
Signed-off-by: H
