Hi, Vincent Pelletier <[email protected]> writes: > Endpoint descriptors come in 2 sizes, struct usb_endpoint_descriptor being > the largest. Take bLength into account to not copy past the endpoint > descriptor end, which could be the next descriptor or past interface > descriptor (by 2 bytes). > > Signed-off-by: Vincent Pelletier <[email protected]> > --- > drivers/usb/gadget/function/f_fs.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/gadget/function/f_fs.c > b/drivers/usb/gadget/function/f_fs.c > index 5490fc51638e..c573c4425f10 100644 > --- a/drivers/usb/gadget/function/f_fs.c > +++ b/drivers/usb/gadget/function/f_fs.c > @@ -1230,7 +1230,8 @@ static long ffs_epfile_ioctl(struct file *file, > unsigned code, > desc = epfile->ep->descs[desc_idx]; > > spin_unlock_irq(&epfile->ffs->eps_lock); > - ret = copy_to_user((void *)value, desc, sizeof(*desc)); > + ret = copy_to_user((void *)value, desc, > + min(sizeof(*desc), > (size_t)desc->bLength));
so we need min() here? desc->bLength should always contain correct size. -- balbi
signature.asc
Description: PGP signature
