ChangeSet 1.1722.97.62, 2004/06/10 09:48:09-07:00, rtjohnso@eecs.berkeley.edu

[PATCH] PATCH: 2.6.7-rc3 drivers/usb/core/devio.c: user/kernel pointer bugs

Since ctrl is copied in from userspace, ctrl.data cannot safely be
dereferenced.  Let me know if you have any questions or if I've made
a mistake.

Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>


 drivers/usb/core/devio.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)


diff -Nru a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
--- a/drivers/usb/core/devio.c	Fri Jun 18 10:56:33 2004
+++ b/drivers/usb/core/devio.c	Fri Jun 18 10:56:33 2004
@@ -558,7 +558,7 @@
 			if (usbfs_snoop) {
 				dev_info(&dev->dev, "control read: data ");
 				for (j = 0; j < ctrl.wLength; ++j)
-					printk ("%02x ", (unsigned char)((char *)ctrl.data)[j]);
+					printk ("%02x ", (unsigned char)(tbuf)[j]);
 				printk("\n");
 			}
 			if (copy_to_user(ctrl.data, tbuf, ctrl.wLength)) {
@@ -578,7 +578,7 @@
 		if (usbfs_snoop) {
 			dev_info(&dev->dev, "control write: data: ");
 			for (j = 0; j < ctrl.wLength; ++j)
-				printk ("%02x ", (unsigned char)((char *)ctrl.data)[j]);
+				printk ("%02x ", (unsigned char)(tbuf)[j]);
 			printk("\n");
 		}
 		i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType,