On 11/17/22 12:50, Fabio Estevam wrote:
[Adding Lukasz and Marek]
On Thu, Nov 17, 2022 at 6:50 AM Szymon Heidrich
<szymon.heidr...@gmail.com> wrote:
Assure that the control endpoint buffer of size USB_BUFSIZ (4096)
can not be overflown during handling of USB control transfer
requests with wLength greater than USB_BUFSIZ.
Signed-off-by: Szymon Heidrich <szymon.heidr...@gmail.com>
---
drivers/usb/gadget/composite.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 2a309e624e..cb89f6dca9 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1019,6 +1019,17 @@ composite_setup(struct usb_gadget *gadget, const struct
usb_ctrlrequest *ctrl)
u8 endp;
struct usb_configuration *c;
+ if (w_length > USB_BUFSIZ) {
+ if (ctrl->bRequestType & USB_DIR_IN) {
+ /* Cast away the const, we are going to overwrite on
purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+ *temp = cpu_to_le16(USB_BUFSIZ);
+ w_length = USB_BUFSIZ;
Won't this end up sending corrupted packets in case they are longer than
USB_BUFSIZ ?
Where do such long packets come from ?
What is the test-case ?
