Commit 14427b86 authored by Ben Hutchings's avatar Ben Hutchings Committed by Greg Kroah-Hartman
Browse files

USB: yurex: Check for truncation in yurex_read() 



snprintf() always returns the full length of the string it could have
printed, even if it was truncated because the buffer was too small.
So in case the counter value is truncated, we will over-read from
in_buffer and over-write to the caller's buffer.

I don't think it's actually possible for this to happen, but in case
truncation occurs, WARN and return -EIO.

Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 7e10f14e

drivers/usb/misc/yurex.c

+3 −0
Original line number Diff line number Diff line
@@ -413,6 +413,9 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, 
	spin_unlock_irqrestore(&dev->lock, flags);

	mutex_unlock(&dev->io_mutex);



	if (WARN_ON_ONCE(len >= sizeof(in_buffer)))

		return -EIO;



	return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE