CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/07/14 15:14:09
Modified files:
sys/dev/usb : usb_subr.c
Log message:
Fix a potential 1-byte buffer overflow in usbd_get_string_desc(). The code
allows for a transfer of up to 255 bytes but the struct behind the
usb_string_descriptor_t type is only 254 bytes. This is because USB
strings are UTF-16 and that leaves a single byte that can't be used in
a meaningful way. So truncating transfer to 254 bytes should not break
devices that are already broken. Found by Andrew Griffiths.
ok jsg@, deraadt@