Linux kernel drivers/usb/gadget/function/f_fs.c

static int __ffs_func_bind_do_os_desc(enum ffs_os_desc_type type,
                                      struct usb_os_desc_header *h, void *data,
                                      unsigned len, void *priv)
        struct ffs_function *func = priv;
        u8 length = 0;

        switch (type) {

                ext_prop->type = le32_to_cpu(desc->dwPropertyDataType);
                ext_prop->name_len = le16_to_cpu(desc->wPropertyNameLength);
                ext_prop->data_len = le32_to_cpu(*(u32 *)
                        usb_ext_prop_data_len_ptr(data, ext_prop->name_len));
                length = ext_prop->name_len + ext_prop->data_len + 14;

length is almost certain not able to hold the correct size if name_len and data_len are not small. considering that name_len comes from le16 and data_len comes from le32, it seems likely that they won't always be trivially small.


Popular posts from this blog

Linux Kernel Infoleaks

Memory Bugs in Multiple Linux Kernel Drivers using DebugFS

ESP8266 Firmware Buffer Overflows