Linux kernel drivers/usb/gadget/function/f_fs.c

static int __ffs_func_bind_do_os_desc(enum ffs_os_desc_type type,
                                      struct usb_os_desc_header *h, void *data,
                                      unsigned len, void *priv)
        struct ffs_function *func = priv;
        u8 length = 0;

        switch (type) {

                ext_prop->type = le32_to_cpu(desc->dwPropertyDataType);
                ext_prop->name_len = le16_to_cpu(desc->wPropertyNameLength);
                ext_prop->data_len = le32_to_cpu(*(u32 *)
                        usb_ext_prop_data_len_ptr(data, ext_prop->name_len));
                length = ext_prop->name_len + ext_prop->data_len + 14;

length is almost certain not able to hold the correct size if name_len and data_len are not small. considering that name_len comes from le16 and data_len comes from le32, it seems likely that they won't always be trivially small.


Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

Linux Kernel Infoleaks

InfoSect's Month of Pointless Bugs (#1, #2)