usb: misc: legousbtower: Fix buffers on stack

commit 942a48730f upstream. Allocate buffers on HEAP instead of STACK for local structures that are to be received using usb_control_msg(). Signed-off-by: Maksim Salau <maksim.salau@gmail.com> Tested-by: Alfredo Rafael Vicente Boix <alviboi@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-04-25 22:49:21 +03:00
parent f5eea276d8
commit 810b7c5599
1 changed files with 27 additions and 10 deletions
--- a/drivers/usb/misc/legousbtower.c
+++ b/drivers/usb/misc/legousbtower.c
@ -317,9 +317,16 @@ static int tower_open (struct inode *inode, struct file *file)
 	int subminor;
 	int retval = 0;
 	struct usb_interface *interface;
-	struct tower_reset_reply reset_reply;
+	struct tower_reset_reply *reset_reply;
 	int result;
 	reset_reply = kmalloc(sizeof(*reset_reply), GFP_KERNEL);
 	if (!reset_reply) {
 		retval = -ENOMEM;
 		goto exit;
 	}
 	nonseekable_open(inode, file);
 	subminor = iminor(inode);
@ -364,8 +371,8 @@ static int tower_open (struct inode *inode, struct file *file)
 				  USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
 				  0,
 				  0,
-				  &reset_reply,
+				  reset_reply,
-				  sizeof(reset_reply),
+				  sizeof(*reset_reply),
 				  1000);
 	if (result < 0) {
 		dev_err(&dev->udev->dev,
@ -406,6 +413,7 @@ unlock_exit:
 	mutex_unlock(&dev->lock);
 exit:
 	kfree(reset_reply);
 	return retval;
 }
@ -808,7 +816,7 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
 	struct lego_usb_tower *dev = NULL;
 	struct usb_host_interface *iface_desc;
 	struct usb_endpoint_descriptor* endpoint;
-	struct tower_get_version_reply get_version_reply;
+	struct tower_get_version_reply *get_version_reply = NULL;
 	int i;
 	int retval = -ENOMEM;
 	int result;
@ -886,6 +894,13 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
 	dev->interrupt_in_interval = interrupt_in_interval ? interrupt_in_interval : dev->interrupt_in_endpoint->bInterval;
 	dev->interrupt_out_interval = interrupt_out_interval ? interrupt_out_interval : dev->interrupt_out_endpoint->bInterval;
 	get_version_reply = kmalloc(sizeof(*get_version_reply), GFP_KERNEL);
 	if (!get_version_reply) {
 		retval = -ENOMEM;
 		goto error;
 	}
 	/* get the firmware version and log it */
 	result = usb_control_msg (udev,
 				  usb_rcvctrlpipe(udev, 0),
@ -893,18 +908,19 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
 				  USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
 				  0,
 				  0,
-				  &get_version_reply,
+				  get_version_reply,
-				  sizeof(get_version_reply),
+				  sizeof(*get_version_reply),
 				  1000);
 	if (result < 0) {
 		dev_err(idev, "LEGO USB Tower get version control request failed\n");
 		retval = result;
 		goto error;
 	}
-	dev_info(&interface->dev, "LEGO USB Tower firmware version is %d.%d "
+	dev_info(&interface->dev,
-		 "build %d\n", get_version_reply.major,
+		 "LEGO USB Tower firmware version is %d.%d build %d\n",
-		 get_version_reply.minor,
+		 get_version_reply->major,
-		 le16_to_cpu(get_version_reply.build_no));
+		 get_version_reply->minor,
 		 le16_to_cpu(get_version_reply->build_no));
 	/* we can register the device now, as it is ready */
 	usb_set_intfdata (interface, dev);
@ -928,6 +944,7 @@ exit:
 	return retval;
 error:
 	kfree(get_version_reply);
 	tower_delete(dev);
 	return retval;
 }