CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2020/08/27 13:55:01
Modified files:
sys/dev/usb : usb.c
Log message:
Fix a potential panic during free(9) which can be caused by an USB
device which returns a spurious value for wTotalLength on a configuration
descriptor request. Therefore don't relay on wTotalLength for free(9)
but on the length variable which was used for the malloc(9) before.
The issue was reported by
Mikolaj Kucharski <mikolaj (at) kucharski (dot) name> on bugs@.
Discussed and ok deraadt@
