[PATCH] PATCH: 2.6.7-rc3 drivers/usb/core/devio.c: user/kernel pointer bugs

Since ctrl is copied in from userspace, ctrl.data cannot safely be dereferenced. Let me know if you have any questions or if I've made a mistake. Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>

[PATCH] PATCH: 2.6.7-rc3 drivers/usb/core/devio.c: user/kernel pointer bugs
Since ctrl is copied in from userspace, ctrl.data cannot safely be dereferenced. Let me know if you have any questions or if I've made a mistake. Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
460e0fc2 · Robert T. Johnson · Greg Kroah-Hartman · b4a8f23b · 460e0fc2
Commit 460e0fc2 authored Jun 09, 2004 by Robert T. Johnson Committed by Greg Kroah-Hartman Jun 09, 2004
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

drivers/usb/core/devio.c drivers/usb/core/devio.c +2 -2

No files found.
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -558,7 +558,7 @@ static int proc_control(struct dev_state *ps, void __user *arg)
 			if (usbfs_snoop) {
 				dev_info(&dev->dev, "control read: data ");
 				for (j = 0; j < ctrl.wLength; ++j)
-					printk ("%02x ", (unsigned char)((char *)ctrl.data)[j]);
+					printk ("%02x ", (unsigned char)(tbuf)[j]);
 				printk("\n");
 			}
 			if (copy_to_user(ctrl.data, tbuf, ctrl.wLength)) {
@@ -578,7 +578,7 @@ static int proc_control(struct dev_state *ps, void __user *arg)
 		if (usbfs_snoop) {
 			dev_info(&dev->dev, "control write: data: ");
 			for (j = 0; j < ctrl.wLength; ++j)
-				printk ("%02x ", (unsigned char)((char *)ctrl.data)[j]);
+				printk ("%02x ", (unsigned char)(tbuf)[j]);
 			printk("\n");
 		}
 		i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType,