Commit cfd3c22c authored by Maksim Salau's avatar Maksim Salau Committed by Greg Kroah-Hartman

usb: misc: legousbtower: Fix buffers on stack

commit 942a4873 upstream.

Allocate buffers on HEAP instead of STACK for local structures
that are to be received using usb_control_msg().
Signed-off-by: default avatarMaksim Salau <maksim.salau@gmail.com>
Tested-by: default avatarAlfredo Rafael Vicente Boix <alviboi@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 02d86837
...@@ -317,9 +317,16 @@ static int tower_open (struct inode *inode, struct file *file) ...@@ -317,9 +317,16 @@ static int tower_open (struct inode *inode, struct file *file)
int subminor; int subminor;
int retval = 0; int retval = 0;
struct usb_interface *interface; struct usb_interface *interface;
struct tower_reset_reply reset_reply; struct tower_reset_reply *reset_reply;
int result; int result;
reset_reply = kmalloc(sizeof(*reset_reply), GFP_KERNEL);
if (!reset_reply) {
retval = -ENOMEM;
goto exit;
}
nonseekable_open(inode, file); nonseekable_open(inode, file);
subminor = iminor(inode); subminor = iminor(inode);
...@@ -364,8 +371,8 @@ static int tower_open (struct inode *inode, struct file *file) ...@@ -364,8 +371,8 @@ static int tower_open (struct inode *inode, struct file *file)
USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE, USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
0, 0,
0, 0,
&reset_reply, reset_reply,
sizeof(reset_reply), sizeof(*reset_reply),
1000); 1000);
if (result < 0) { if (result < 0) {
dev_err(&dev->udev->dev, dev_err(&dev->udev->dev,
...@@ -406,6 +413,7 @@ static int tower_open (struct inode *inode, struct file *file) ...@@ -406,6 +413,7 @@ static int tower_open (struct inode *inode, struct file *file)
mutex_unlock(&dev->lock); mutex_unlock(&dev->lock);
exit: exit:
kfree(reset_reply);
return retval; return retval;
} }
...@@ -808,7 +816,7 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device ...@@ -808,7 +816,7 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
struct lego_usb_tower *dev = NULL; struct lego_usb_tower *dev = NULL;
struct usb_host_interface *iface_desc; struct usb_host_interface *iface_desc;
struct usb_endpoint_descriptor* endpoint; struct usb_endpoint_descriptor* endpoint;
struct tower_get_version_reply get_version_reply; struct tower_get_version_reply *get_version_reply = NULL;
int i; int i;
int retval = -ENOMEM; int retval = -ENOMEM;
int result; int result;
...@@ -886,6 +894,13 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device ...@@ -886,6 +894,13 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
dev->interrupt_in_interval = interrupt_in_interval ? interrupt_in_interval : dev->interrupt_in_endpoint->bInterval; dev->interrupt_in_interval = interrupt_in_interval ? interrupt_in_interval : dev->interrupt_in_endpoint->bInterval;
dev->interrupt_out_interval = interrupt_out_interval ? interrupt_out_interval : dev->interrupt_out_endpoint->bInterval; dev->interrupt_out_interval = interrupt_out_interval ? interrupt_out_interval : dev->interrupt_out_endpoint->bInterval;
get_version_reply = kmalloc(sizeof(*get_version_reply), GFP_KERNEL);
if (!get_version_reply) {
retval = -ENOMEM;
goto error;
}
/* get the firmware version and log it */ /* get the firmware version and log it */
result = usb_control_msg (udev, result = usb_control_msg (udev,
usb_rcvctrlpipe(udev, 0), usb_rcvctrlpipe(udev, 0),
...@@ -893,18 +908,19 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device ...@@ -893,18 +908,19 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE, USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
0, 0,
0, 0,
&get_version_reply, get_version_reply,
sizeof(get_version_reply), sizeof(*get_version_reply),
1000); 1000);
if (result < 0) { if (result < 0) {
dev_err(idev, "LEGO USB Tower get version control request failed\n"); dev_err(idev, "LEGO USB Tower get version control request failed\n");
retval = result; retval = result;
goto error; goto error;
} }
dev_info(&interface->dev, "LEGO USB Tower firmware version is %d.%d " dev_info(&interface->dev,
"build %d\n", get_version_reply.major, "LEGO USB Tower firmware version is %d.%d build %d\n",
get_version_reply.minor, get_version_reply->major,
le16_to_cpu(get_version_reply.build_no)); get_version_reply->minor,
le16_to_cpu(get_version_reply->build_no));
/* we can register the device now, as it is ready */ /* we can register the device now, as it is ready */
usb_set_intfdata (interface, dev); usb_set_intfdata (interface, dev);
...@@ -928,6 +944,7 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device ...@@ -928,6 +944,7 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
return retval; return retval;
error: error:
kfree(get_version_reply);
tower_delete(dev); tower_delete(dev);
return retval; return retval;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment