Copy with uiomove(9) the correct size of the descriptor and not a random value from the stack. This is Coverity CID 1497167.
As I understand it there's no security impact as the size is always caped by `ufd_size' however the returned descriptor might be corrupted and this can explain why userland applications might randomly fail. ok? Index: ugen.c =================================================================== RCS file: /cvs/src/sys/dev/usb/ugen.c,v retrieving revision 1.107 diff -u -p -u -5 -r1.107 ugen.c --- ugen.c 2 Sep 2020 12:36:12 -0000 1.107 +++ ugen.c 28 Sep 2020 09:12:47 -0000 @@ -1121,10 +1121,11 @@ ugen_do_ioctl(struct ugen_softc *sc, int cdesc = usbd_get_cdesc(sc->sc_udev, fd->ufd_config_index, &cdesc_len); if (cdesc == NULL) return (EINVAL); + len = cdesc_len; if (len > fd->ufd_size) len = fd->ufd_size; iov.iov_base = (caddr_t)fd->ufd_data; iov.iov_len = len; uio.uio_iov = &iov;