[Adding Lukasz and Marek]
On Thu, Nov 17, 2022 at 6:50 AM Szymon Heidrich <szymon.heidr...@gmail.com> wrote: > > Assure that the control endpoint buffer of size USB_BUFSIZ (4096) > can not be overflown during handling of USB control transfer > requests with wLength greater than USB_BUFSIZ. > > Signed-off-by: Szymon Heidrich <szymon.heidr...@gmail.com> > --- > drivers/usb/gadget/composite.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c > index 2a309e624e..cb89f6dca9 100644 > --- a/drivers/usb/gadget/composite.c > +++ b/drivers/usb/gadget/composite.c > @@ -1019,6 +1019,17 @@ composite_setup(struct usb_gadget *gadget, const > struct usb_ctrlrequest *ctrl) > u8 endp; > struct usb_configuration *c; > > + if (w_length > USB_BUFSIZ) { > + if (ctrl->bRequestType & USB_DIR_IN) { > + /* Cast away the const, we are going to overwrite on > purpose. */ > + __le16 *temp = (__le16 *)&ctrl->wLength; > + *temp = cpu_to_le16(USB_BUFSIZ); > + w_length = USB_BUFSIZ; > + } else { > + goto done; > + } > + } > + > /* > * partial re-init of the response message; the function or the > * gadget might need to intercept e.g. a control-OUT completion > -- > 2.38.1 >