USB: usbfs: only copy the actual data received

commit d4a4683ca054ed9917dfc9e3ff0f7ecf74ad90d6 upstream

We need to only copy the data received by the device to userspace, not
the whole kernel buffer, which can contain "stale" data.

Thanks to Marcus Meissner for pointing this out and testing the fix.

Reported-by: Marcus Meissner <meissner@suse.de>
Tested-by: Marcus Meissner <meissner@suse.de>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Acked-by: Jeff Mahoney <jeffm@suse.com>

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index b8c49482209d7eb8226aa37cfca1dcc7e5610e09..52aabc7d4ba000f6f14aadf3e66c640afb6f7445 100644 (file)
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1240,9 +1240,9 @@ static int processcompl(struct async *as, void __user * __user *arg)
        void __user *addr = as->userurb;
        unsigned int i;
 
-       if (as->userbuffer)
+       if (as->userbuffer && urb->actual_length)
                if (copy_to_user(as->userbuffer, urb->transfer_buffer,
-                                urb->transfer_buffer_length))
+                                urb->actual_length))
                        goto err_out;
        if (put_user(as->status, &userurb->status))
                goto err_out;
@@ -1368,9 +1368,9 @@ static int processcompl_compat(struct async *as, void __user * __user *arg)
        void __user *addr = as->userurb;
        unsigned int i;
 
-       if (as->userbuffer)
+       if (as->userbuffer && urb->actual_length)
                if (copy_to_user(as->userbuffer, urb->transfer_buffer,
-                                urb->transfer_buffer_length))
+                                urb->actual_length))
                        return -EFAULT;
        if (put_user(as->status, &userurb->status))
                return -EFAULT;