diff options
| author | Marc Balmer <mbalmer@cvs.openbsd.org> | 2007-07-27 09:16:10 +0000 |
|---|---|---|
| committer | Marc Balmer <mbalmer@cvs.openbsd.org> | 2007-07-27 09:16:10 +0000 |
| commit | 0ef7ffbe71515f50522aef0e0a66ecd9059119b9 (patch) | |
| tree | 3811c111086183cd076d488c4854d72afa6e6ac9 /sys/dev/usb/usbf_subr.c | |
| parent | c5c270f8f3953c1f9f142e78befad9bacd0917fa (diff) | |
Correct the length of the usb_string_descriptor_t and fix a possible
buffer overflow.
Problem found by (and original diff from) Marc Winiger <mw@msys.ch>, comment
by me on jsg's request.
ok jsg, claudio
Diffstat (limited to 'sys/dev/usb/usbf_subr.c')
| -rw-r--r-- | sys/dev/usb/usbf_subr.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/dev/usb/usbf_subr.c b/sys/dev/usb/usbf_subr.c index 6971f1d8582..3fc93cf128f 100644 --- a/sys/dev/usb/usbf_subr.c +++ b/sys/dev/usb/usbf_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: usbf_subr.c,v 1.9 2007/06/15 11:41:48 mbalmer Exp $ */ +/* $OpenBSD: usbf_subr.c,v 1.10 2007/07/27 09:16:09 mbalmer Exp $ */ /* * Copyright (c) 2006 Uwe Stuehler <uwe@openbsd.org> @@ -308,8 +308,8 @@ usbf_add_string(usbf_device_handle dev, const char *string) dev->string_id == USBF_STRING_ID_MAX) return USBF_EMPTY_STRING_ID; - if ((len = strlen(string)) > USB_MAX_STRING_LEN) - len = USB_MAX_STRING_LEN; + if ((len = strlen(string)) >= USB_MAX_STRING_LEN) + len = USB_MAX_STRING_LEN - 1; oldsize = dev->sdesc_size; newsize = oldsize + 2 + 2 * len; @@ -322,7 +322,7 @@ usbf_add_string(usbf_device_handle dev, const char *string) sd = (usb_string_descriptor_t *)((char *)sd + oldsize); sd->bLength = newsize - oldsize; sd->bDescriptorType = UDESC_STRING; - for (i = 0; string[i] != '\0'; i++) + for (i = 0; string[i] != '\0' && i < len; i++) USETW(sd->bString[i], string[i]); id = dev->string_id++; |