diff options
| author | Greg Kroah-Hartman <gregkh@suse.de> | 2010-02-16 12:20:04 -0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-02-16 12:20:04 -0800 |
| commit | cfaec35098c3751917ce70f8b5027ab857d5a62d (patch) | |
| tree | 74ad92dbec1da8917d06e5f4d16adc36e9e06a10 /usb.current | |
| parent | 9d50402d2fe2dd94dca0cfccd1c1b0674316967d (diff) | |
| download | patches-cfaec35098c3751917ce70f8b5027ab857d5a62d.tar.gz | |
another usb patch
Diffstat (limited to 'usb.current')
| -rw-r--r-- | usb.current/usb-usbfs-only-copy-the-actual-data-received.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/usb.current/usb-usbfs-only-copy-the-actual-data-received.patch b/usb.current/usb-usbfs-only-copy-the-actual-data-received.patch new file mode 100644 index 00000000000000..9064607e94c824 --- /dev/null +++ b/usb.current/usb-usbfs-only-copy-the-actual-data-received.patch @@ -0,0 +1,49 @@ +From security-bounces@linux.kernel.org Mon Feb 15 09:38:09 2010 +From: Greg KH <greg@kroah.com> +Date: Mon, 15 Feb 2010 09:37:46 -0800 +Subject: USB: usbfs: only copy the actual data received +To: Alan Stern <stern@rowland.harvard.edu> +Cc: Marcus Meissner <meissner@suse.de> + +We need to only copy the data received by the device to userspace, not +the whole kernel buffer, which can contain "stale" data. + +Thanks to Marcus Meissner for pointing this out and testing the fix. + +Reported-by: Marcus Meissner <meissner@suse.de> +Tested-by: Marcus Meissner <meissner@suse.de> +Cc: Alan Stern <stern@rowland.harvard.edu> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: stable <stable@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/core/devio.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1312,9 +1312,9 @@ static int processcompl(struct async *as + void __user *addr = as->userurb; + unsigned int i; + +- if (as->userbuffer) ++ if (as->userbuffer && urb->actual_length) + if (copy_to_user(as->userbuffer, urb->transfer_buffer, +- urb->transfer_buffer_length)) ++ urb->actual_length)) + goto err_out; + if (put_user(as->status, &userurb->status)) + goto err_out; +@@ -1475,9 +1475,9 @@ static int processcompl_compat(struct as + void __user *addr = as->userurb; + unsigned int i; + +- if (as->userbuffer) ++ if (as->userbuffer && urb->actual_length) + if (copy_to_user(as->userbuffer, urb->transfer_buffer, +- urb->transfer_buffer_length)) ++ urb->actual_length)) + return -EFAULT; + if (put_user(as->status, &userurb->status)) + return -EFAULT; |