| Message ID | 20240411124722.17343-7-oneukum@suse.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [RFC,1/6] usb: usb_parse_endpoint ignore reserved bits | expand |
On Thu, Apr 11, 2024 at 02:43:04PM +0200, Oliver Neukum wrote: > If you parse a data structure you cannot > just test whether the remainder of your buffer holds > data. It needs to hold a full data structure. > > Signed-off-by: Oliver Neukum <oneukum@suse.com> > --- > drivers/usb/core/config.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c > index 50acc9021247..43c5ed256e6e 100644 > --- a/drivers/usb/core/config.c > +++ b/drivers/usb/core/config.c > @@ -32,7 +32,7 @@ static int find_next_descriptor(unsigned char *buffer, int size, > unsigned char *buffer0 = buffer; > > /* Find the next descriptor of type dt1 or dt2 */ > - while (size > 0) { > + while (size >= sizeof(struct usb_descriptor_header)) { > h = (struct usb_descriptor_header *) buffer; > if (h->bDescriptorType == dt1 || h->bDescriptorType == dt2) > break; In fact, I don't think this is needed at all. These checks are already present in usb_parse_configuration(). Alan Stern
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index 50acc9021247..43c5ed256e6e 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -32,7 +32,7 @@ static int find_next_descriptor(unsigned char *buffer, int size, unsigned char *buffer0 = buffer; /* Find the next descriptor of type dt1 or dt2 */ - while (size > 0) { + while (size >= sizeof(struct usb_descriptor_header)) { h = (struct usb_descriptor_header *) buffer; if (h->bDescriptorType == dt1 || h->bDescriptorType == dt2) break;
If you parse a data structure you cannot just test whether the remainder of your buffer holds data. It needs to hold a full data structure. Signed-off-by: Oliver Neukum <oneukum@suse.com> --- drivers/usb/core/config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)