Do not scribble past end of buffer. Check if the userspace buffer has enough space available before attempting to move more data there. Throw away all previously read data if the buffer is full.
Cc: stable <[email protected]> Signed-off-by: Bjørn Mork <[email protected]> --- Hello Oliver! I hope I am missing something here... This is otherwise a pretty nasty bug which I cannot understand we didn't notice before. What am I missing? Bjørn drivers/usb/class/cdc-wdm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c index 5f0cb41..e58bfd0 100644 --- a/drivers/usb/class/cdc-wdm.c +++ b/drivers/usb/class/cdc-wdm.c @@ -186,6 +186,12 @@ static void wdm_in_callback(struct urb *urb) desc->rerr = status; desc->reslength = urb->actual_length; + + /* throw away all old data if the user space buffer is full */ + if (desc->length + desc->reslength > desc->wMaxCommand) { + dev_dbg(&desc->intf->dev, "throwing away %d bytes\n", desc->length); + desc->length = 0; + } memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); desc->length += desc->reslength; skip_error: -- 1.7.10.4 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
