CVSROOT:        /cvs
Module name:    src
Changes by:     [email protected]        2026/07/14 15:14:09

Modified files:
        sys/dev/usb    : usb_subr.c 

Log message:
Fix a potential 1-byte buffer overflow in usbd_get_string_desc().  The code
allows for a transfer of up to 255 bytes but the struct behind the
usb_string_descriptor_t type is only 254 bytes.  This is because USB
strings are UTF-16 and that leaves a single byte that can't be used in
a meaningful way.  So truncating transfer to 254 bytes should not break
devices that are already broken.  Found by Andrew Griffiths.

ok jsg@, deraadt@

Reply via email to