Clamp hub control wLength to a reasonable maximum before allocating the response buffer to avoid oversized allocations and remove the FIXME about unspecified lengths.
Signed-off-by: Ayaan Mirza Baig ayaanmirzabaig85@gmail.com --- drivers/staging/greybus/usb.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/greybus/usb.c b/drivers/staging/greybus/usb.c index 475f24f20cd4..1502641f5dbb 100644 --- a/drivers/staging/greybus/usb.c +++ b/drivers/staging/greybus/usb.c @@ -105,7 +105,13 @@ static int hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, u16 wIndex, size_t response_size; int ret;
- /* FIXME: handle unspecified lengths */ + /* + * Clamp wLength to a reasonable maximum to avoid oversized allocations. + * USB control responses are expected to be small, use 2K as a safe + * upper bound for the response payload. + */ + if (wLength > 2048) + wLength = 2048; response_size = sizeof(*response) + wLength;
operation = gb_operation_create(dev->connection,