Commit 5baa19b3 authored by Paulo Marques's avatar Paulo Marques Committed by Deepak Saxena

[PATCH] USB: fix usblp.c

The line that IMHO triggers the bug is this:

"writecount += usblp->writeurb->transfer_buffer_length;"

It uses "usblp->writeurb->transfer_buffer_length" before initializing it,
assuming that it will be zero on the first run. If it is not zero, but instead
random *negative* garbage from memory, the loop will start printing endless data
from user-space data.
parent 2a62f1e1
...@@ -603,7 +603,7 @@ static ssize_t usblp_write(struct file *file, const char __user *buffer, size_t ...@@ -603,7 +603,7 @@ static ssize_t usblp_write(struct file *file, const char __user *buffer, size_t
{ {
DECLARE_WAITQUEUE(wait, current); DECLARE_WAITQUEUE(wait, current);
struct usblp *usblp = file->private_data; struct usblp *usblp = file->private_data;
int timeout, err = 0; int timeout, err = 0, transfer_length;
size_t writecount = 0; size_t writecount = 0;
while (writecount < count) { while (writecount < count) {
...@@ -654,19 +654,13 @@ static ssize_t usblp_write(struct file *file, const char __user *buffer, size_t ...@@ -654,19 +654,13 @@ static ssize_t usblp_write(struct file *file, const char __user *buffer, size_t
continue; continue;
} }
writecount += usblp->writeurb->transfer_buffer_length; transfer_length=(count - writecount);
usblp->writeurb->transfer_buffer_length = 0; if (transfer_length > USBLP_BUF_SIZE)
transfer_length = USBLP_BUF_SIZE;
if (writecount == count) {
up (&usblp->sem);
break;
}
usblp->writeurb->transfer_buffer_length = (count - writecount) < USBLP_BUF_SIZE ? usblp->writeurb->transfer_buffer_length = transfer_length;
(count - writecount) : USBLP_BUF_SIZE;
if (copy_from_user(usblp->writeurb->transfer_buffer, buffer + writecount, if (copy_from_user(usblp->writeurb->transfer_buffer, buffer + writecount, transfer_length)) {
usblp->writeurb->transfer_buffer_length)) {
up(&usblp->sem); up(&usblp->sem);
return writecount ? writecount : -EFAULT; return writecount ? writecount : -EFAULT;
} }
...@@ -683,6 +677,8 @@ static ssize_t usblp_write(struct file *file, const char __user *buffer, size_t ...@@ -683,6 +677,8 @@ static ssize_t usblp_write(struct file *file, const char __user *buffer, size_t
break; break;
} }
up (&usblp->sem); up (&usblp->sem);
writecount += transfer_length;
} }
return count; return count;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment