public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed
* [patch] usb: gadget: f_fs: signedness bug in __ffs_func_bind_do_descs()
@ 2014-09-09 12:06 Dan Carpenter
  2014-09-09 13:57 ` Michal Nazarewicz
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: Dan Carpenter @ 2014-09-09 12:06 UTC (permalink / raw)
  To: kernel-janitors

We need "idx" to be signed for the error handling to work.

Fixes: 6d5c1c77bbf9 ('usb: gadget: f_fs: fix the redundant ep files problem')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Btw, there is a sparse warning:

drivers/usb/gadget/function/f_fs.c:401:44: warning: Variable length array is used.

The risk here is that the array would be too large.  I don't know the
code well enough to say if it can be triggered, but from an outsider
perspective it looks scary (security implications).  There should be a
comment explaining why it can't be used to overflow the 8k stack.

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 0dc3552..7ad7137 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2393,7 +2393,8 @@ static int __ffs_func_bind_do_descs(enum ffs_entity_type type, u8 *valuep,
 	struct usb_endpoint_descriptor *ds = (void *)desc;
 	struct ffs_function *func = priv;
 	struct ffs_ep *ffs_ep;
-	unsigned ep_desc_id, idx;
+	unsigned ep_desc_id;
+	int idx;
 	static const char *speed_names[] = { "full", "high", "super" };
 
 	if (type != FFS_DESCRIPTOR)

^ permalink raw reply related	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-09-10 11:05 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-09 12:06 [patch] usb: gadget: f_fs: signedness bug in __ffs_func_bind_do_descs() Dan Carpenter
2014-09-09 13:57 ` Michal Nazarewicz
2014-09-09 14:25 ` Dan Carpenter
2014-09-09 16:37 ` Michal Nazarewicz
2014-09-09 16:40 ` Felipe Balbi
2014-09-10 11:05 ` Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox