Linux kernel drivers/usb/gadget/function/f_fs.c

static int __ffs_func_bind_do_os_desc(enum ffs_os_desc_type type,
                                      struct usb_os_desc_header *h, void *data,
                                      unsigned len, void *priv)
        struct ffs_function *func = priv;
        u8 length = 0;

        switch (type) {

                ext_prop->type = le32_to_cpu(desc->dwPropertyDataType);
                ext_prop->name_len = le16_to_cpu(desc->wPropertyNameLength);
                ext_prop->data_len = le32_to_cpu(*(u32 *)
                        usb_ext_prop_data_len_ptr(data, ext_prop->name_len));
                length = ext_prop->name_len + ext_prop->data_len + 14;

length is almost certain not able to hold the correct size if name_len and data_len are not small. considering that name_len comes from le16 and data_len comes from le32, it seems likely that they won't always be trivially small.


Popular posts from this blog

Heap Exploitation in Chrome's PartitionAlloc - part 1

Pointer Compression in V8

Linux Kernel Stack Smashing