Merge "CHROMIUM: usb: gadget: configfs: Fix KASAN use-after-free"

author: Linux Build Service Account <lnxbuild@localhost> 2017-04-04 03:08:00 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-04-04 03:08:00 -0700
commit: 7d517eef8f04864b7ff9def0c82276c4d45391e7 (patch)
tree: 60abda6b57e21883802716d2cec7a571873ff31c /drivers/usb/gadget
parent: 9af69213de642f19b19f77e04f23de9f66b6b0f0 (diff)
parent: d3f387805f0e28ef37e142c863c11530c0a3443a (diff)
1 files changed, 12 insertions, 5 deletions
diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
index ed0ff7b1fc15..c31aaf7a9880 100644
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -141,21 +141,28 @@ struct gadget_config_name {
 	struct list_head list;
 };
 
+#define MAX_USB_STRING_LEN	126
+#define MAX_USB_STRING_WITH_NULL_LEN	(MAX_USB_STRING_LEN+1)
+
 static int usb_string_copy(const char *s, char **s_copy)
 {
 	int ret;
 	char *str;
 	char *copy = *s_copy;
 	ret = strlen(s);
-	if (ret > 126)
+	if (ret > MAX_USB_STRING_LEN)
 		return -EOVERFLOW;
 
-	str = kstrdup(s, GFP_KERNEL);
-	if (!str)
-		return -ENOMEM;
+	if (copy) {
+		str = copy;
+	} else {
+		str = kmalloc(MAX_USB_STRING_WITH_NULL_LEN, GFP_KERNEL);
+		if (!str)
+			return -ENOMEM;
+	}
+	strncpy(str, s, MAX_USB_STRING_WITH_NULL_LEN);
 	if (str[ret - 1] == '\n')
 		str[ret - 1] = '\0';
-	kfree(copy);
 	*s_copy = str;
 	return 0;
 }
author	Linux Build Service Account <lnxbuild@localhost>	2017-04-04 03:08:00 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-04-04 03:08:00 -0700
commit	7d517eef8f04864b7ff9def0c82276c4d45391e7 (patch)
tree	60abda6b57e21883802716d2cec7a571873ff31c /drivers/usb/gadget
parent	9af69213de642f19b19f77e04f23de9f66b6b0f0 (diff)
parent	d3f387805f0e28ef37e142c863c11530c0a3443a (diff)