[49/89] USB: usbfs: only copy the actual data received
in [Kernel]
|
Prev: [35/89] usb: serial: fix memory leak in generic driver
Next: [32/89] USB: EHCI: fix handling of unusual interrupt intervals
From: Greg KH on 30 Mar 2010 20:30 2.6.31-stable review patch. If anyone has any objections, please let us know. ------------------ commit d4a4683ca054ed9917dfc9e3ff0f7ecf74ad90d6 upstream We need to only copy the data received by the device to userspace, not the whole kernel buffer, which can contain "stale" data. Thanks to Marcus Meissner for pointing this out and testing the fix. Reported-by: Marcus Meissner <meissner(a)suse.de> Tested-by: Marcus Meissner <meissner(a)suse.de> Cc: Alan Stern <stern(a)rowland.harvard.edu> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: stable <stable(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)suse.de> Acked-by: Jeff Mahoney <jeffm(a)suse.com> --- drivers/usb/core/devio.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1240,9 +1240,9 @@ static int processcompl(struct async *as void __user *addr = as->userurb; unsigned int i; - if (as->userbuffer) + if (as->userbuffer && urb->actual_length) if (copy_to_user(as->userbuffer, urb->transfer_buffer, - urb->transfer_buffer_length)) + urb->actual_length)) goto err_out; if (put_user(as->status, &userurb->status)) goto err_out; @@ -1368,9 +1368,9 @@ static int processcompl_compat(struct as void __user *addr = as->userurb; unsigned int i; - if (as->userbuffer) + if (as->userbuffer && urb->actual_length) if (copy_to_user(as->userbuffer, urb->transfer_buffer, - urb->transfer_buffer_length)) + urb->actual_length)) return -EFAULT; if (put_user(as->status, &userurb->status)) return -EFAULT; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |