From 261c9dda82ae8804f4338d5803910ead9d0b5583 Mon Sep 17 00:00:00 2001 From: Jack Pham Date: Tue, 7 Mar 2017 14:34:16 -0800 Subject: [PATCH] usb: gadget: f_fs: Fix out-of-bounds string access At the end of ffs_epfiles_create() a message is logged with the name of the epfile, however this epfile pointer is only valid in the body of the preceding for-loop. After the loop exits, it is now pointing one past the allocated array and results in an out-of-bounds memory access when formatting the string. Since there could be multiple ep's created, the name may not be important to log. Replace it with the count instead. Also while ffs_epfiles_destroy() doesn't have the same problem, do the same there anyway for symmetry. Change-Id: I10551f9c1e056f215ec59335cbf1cde2bad6cc04 Signed-off-by: Jack Pham --- drivers/usb/gadget/function/f_fs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index ab44bd316217..31d3022b6ce7 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1879,8 +1879,8 @@ static int ffs_epfiles_create(struct ffs_data *ffs) ffs->epfiles = epfiles; - ffs_log("exit: epfile name %s state %d setup_state %d flag %lu", - epfile->name, ffs->state, ffs->setup_state, ffs->flags); + ffs_log("exit: eps_count %u state %d setup_state %d flag %lu", + count, ffs->state, ffs->setup_state, ffs->flags); return 0; } @@ -1891,7 +1891,7 @@ static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) ENTER(); - ffs_log("enter: epfilename %s", epfile->name); + ffs_log("enter: count %u", count); for (; count; --count, ++epfile) { BUG_ON(mutex_is_locked(&epfile->mutex) ||