Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-5.4 / f199a80cfece94b67f9e3d2955666e47c6051517^! / . / drivers / usb / gadget / function / f_fs.c
commitf199a80cfece94b67f9e3d2955666e47c6051517[log] [tgz]
authorVincent Pelletier <plr.vincent@gmail.com>Tue Jan 17 13:20:11 2017 +0000
committerFelipe Balbi <felipe.balbi@linux.intel.com>Tue Jan 24 11:04:23 2017 +0200
treea74783987461264c63274010e67d50ceb67e4311
parenta98feef743a254fc976a1db8b773a3cd9fec1a30 [diff] [blame]
usb: gadger: f_fs: Do not copy past descriptor end.

Endpoint descriptors come in 2 sizes, struct usb_endpoint_descriptor being
the largest. Use bLength to stop on endpoint descriptor boundary, and not
2 bytes too far.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 5e746ad..e126897 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c

@@ -1230,7 +1230,7 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code,
 			desc = epfile->ep->descs[desc_idx];
 
 			spin_unlock_irq(&epfile->ffs->eps_lock);
-			ret = copy_to_user((void *)value, desc, sizeof(*desc));
+			ret = copy_to_user((void *)value, desc, desc->bLength);
 			if (ret)
 				ret = -EFAULT;
 			return ret;