David: I've been looking through hcd.c:rh_call_control(), intending to fix a single problem (it alters urb->status without locking urb->lock). It turns out there are a couple of other problems there too.
In particular, the routine isn't careful about not copying more than wLength bytes for small transfers. And when handling class requests there's no way for the HCD's hub_control() routine to set the proper value in urb->actual_length. (The hub_control routines aren't careful not to copy more than wLength bytes either.) Do you agree that these things need to be fixed? Alan Stern ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ linux-usb-devel@lists.sourceforge.net To unsubscribe, use the last form field at: https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
