[patch 26/76] usb-storage: dont access beyond the end of the sg buffer

From: Chris Wright
Date: Fri Mar 21 2008 - 18:57:44 EST

Next message: Chris Wright: "[patch 39/76] NETFILTER: Fix incorrect use of skb_make_writable"
Previous message: Chris Wright: "[patch 10/76] IPV6: Fix IPsec datagram fragmentation"
In reply to: Chris Wright: "[patch 10/76] IPV6: Fix IPsec datagram fragmentation"
Next in thread: Chris Wright: "[patch 39/76] NETFILTER: Fix incorrect use of skb_make_writable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-stable review patch. If anyone has any objections, please let us know.
---------------------

From: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>

This patch (as1038) fixes a bug in usb_stor_access_xfer_buf() and
usb_stor_set_xfer_buf() (the bug was originally found by Boaz
Harrosh): The routine must not attempt to write beyond the end of a
scatter-gather list or beyond the number of bytes requested.

This is the minimal 2.6.24 equivalent to as1035 +
as1037 (7084191d53b224b953c8e1db525ea6c31aca5fc7 "USB:
usb-storage: don't access beyond the end of the sg buffer" +
6d512a80c26d87f8599057c86dc920fbfe0aa3aa "usb-storage: update earlier
scatter-gather bug fix"). Mark Glines has confirmed that it fixes
his problem.

Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
Cc: Mark Glines <mark@xxxxxxxxxx>
Cc: Boaz Harrosh <bharrosh@xxxxxxxxxxx>
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
drivers/usb/storage/protocol.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/usb/storage/protocol.c
+++ b/drivers/usb/storage/protocol.c
@@ -194,7 +194,7 @@ unsigned int usb_stor_access_xfer_buf(un
* and the starting offset within the page, and update
* the *offset and *index values for the next loop. */
cnt = 0;
- while (cnt < buflen) {
+ while (cnt < buflen && sg) {
struct page *page = sg_page(sg) +
((sg->offset + *offset) >> PAGE_SHIFT);
unsigned int poff =
@@ -249,7 +249,8 @@ void usb_stor_set_xfer_buf(unsigned char
unsigned int offset = 0;
struct scatterlist *sg = NULL;

- usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
+ buflen = min(buflen, srb->request_bufflen);
+ buflen = usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
TO_XFER_BUF);
if (buflen < srb->request_bufflen)
srb->resid = srb->request_bufflen - buflen;

--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wright: "[patch 39/76] NETFILTER: Fix incorrect use of skb_make_writable"
Previous message: Chris Wright: "[patch 10/76] IPV6: Fix IPsec datagram fragmentation"
In reply to: Chris Wright: "[patch 10/76] IPV6: Fix IPsec datagram fragmentation"
Next in thread: Chris Wright: "[patch 39/76] NETFILTER: Fix incorrect use of skb_make_writable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]