usb: gadget: f_uac1_legacy: validate control request size - kernel

diff options

author	Taegu Ha <hataegu0826@gmail.com>	2026-04-02 04:13:11 +0900
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2026-04-11 14:29:58 +0200
commit	26304d124e7f0383f8fe1168b5801a0ac7e16b1c (patch)
tree	256f628a53d845ad68c9265b9fe3e5d6a03c66e0 /io_uring/napi.c
parent	26a879a41ed960b3fb4ec773ef2788c515c0e488 (diff)

usb: gadget: f_uac1_legacy: validate control request size

commit 6e0e34d85cd46ceb37d16054e97a373a32770f6c upstream. f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-controlled USB request path, which can lead to a stack out-of-bounds write. Validate req->actual against the expected payload size for the supported control selectors and decode only the expected amount of data. This avoids copying a host-influenced length into a fixed-size stack object. Signed-off-by: Taegu Ha <hataegu0826@gmail.com> Cc: stable <stable@kernel.org> Link: https://patch.msgid.link/20260401191311.3604898-1-hataegu0826@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'io_uring/napi.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: