Copy with uiomove(9) the correct size of the descriptor and not a random
value from the stack. This is Coverity CID 1497167.
As I understand it there's no security impact as the size is always
caped by `ufd_size' however the returned descriptor might be corrupted
and this can explain why userland applications might randomly fail.
ok?
Index: ugen.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/ugen.c,v
retrieving revision 1.107
diff -u -p -u -5 -r1.107 ugen.c
--- ugen.c 2 Sep 2020 12:36:12 -0000 1.107
+++ ugen.c 28 Sep 2020 09:12:47 -0000
@@ -1121,10 +1121,11 @@ ugen_do_ioctl(struct ugen_softc *sc, int
cdesc = usbd_get_cdesc(sc->sc_udev, fd->ufd_config_index,
&cdesc_len);
if (cdesc == NULL)
return (EINVAL);
+ len = cdesc_len;
if (len > fd->ufd_size)
len = fd->ufd_size;
iov.iov_base = (caddr_t)fd->ufd_data;
iov.iov_len = len;
uio.uio_iov = &iov;
