[linux-usb-devel] Re: [PATCH] USB update for 2.6.3

[Greg KH]

ChangeSet 1.1557.49.2, 2004/02/16 16:55:03-08:00, [EMAIL PROTECTED]

[PATCH] USB: fix usblp.c

The line that IMHO triggers the bug is this:

"writecount += usblp->writeurb->transfer_buffer_length;"

It uses "usblp->writeurb->transfer_buffer_length" before initializing it,
assuming that it will be zero on the first run. If it is not zero, but instead
random *negative* garbage from memory, the loop will start printing endless data
from user-space data.


 drivers/usb/class/usblp.c |   20 ++++++++------------
 1 files changed, 8 insertions(+), 12 deletions(-)


diff -Nru a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c
--- a/drivers/usb/class/usblp.c Thu Feb 19 17:22:57 2004
+++ b/drivers/usb/class/usblp.c Thu Feb 19 17:22:57 2004
@@ -603,7 +603,7 @@
 {
        DECLARE_WAITQUEUE(wait, current);
        struct usblp *usblp = file->private_data;
-       int timeout, err = 0;
+       int timeout, err = 0, transfer_length;
        size_t writecount = 0;
 
        while (writecount < count) {
@@ -654,19 +654,13 @@
                        continue;
                }
 
-               writecount += usblp->writeurb->transfer_buffer_length;
-               usblp->writeurb->transfer_buffer_length = 0;
+               transfer_length=(count - writecount);
+               if (transfer_length > USBLP_BUF_SIZE)
+                       transfer_length = USBLP_BUF_SIZE;
 
-               if (writecount == count) {
-                       up (&usblp->sem);
-                       break;
-               }
+               usblp->writeurb->transfer_buffer_length = transfer_length;
 
-               usblp->writeurb->transfer_buffer_length = (count - writecount) < 
USBLP_BUF_SIZE ?
-                                                         (count - writecount) : 
USBLP_BUF_SIZE;
-
-               if (copy_from_user(usblp->writeurb->transfer_buffer, buffer + 
writecount,
-                               usblp->writeurb->transfer_buffer_length)) {
+               if (copy_from_user(usblp->writeurb->transfer_buffer, buffer + 
writecount, transfer_length)) {
                        up(&usblp->sem);
                        return writecount ? writecount : -EFAULT;
                }
@@ -683,6 +677,8 @@
                        break;
                }
                up (&usblp->sem);
+
+               writecount += transfer_length;
        }
 
        return count;



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel