From 9786f8b2f79c61afb518c205663a78ecfcab0c64 Mon Sep 17 00:00:00 2001 From: Malcolm Priestley Date: Sat, 16 May 2020 11:44:57 +0100 Subject: [PATCH] staging: vt6656: vnt_usb_send_context remove variable data. A limit is also placed in vnt_tx_context of MAX_TOTAL_SIZE_WITH_ALL_HEADERS limiting size. Signed-off-by: Malcolm Priestley Link: https://lore.kernel.org/r/9416e1a8-bd72-ffb1-5366-78361d053907@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/staging/vt6656/device.h | 1 - drivers/staging/vt6656/rxtx.c | 3 --- drivers/staging/vt6656/usbpipe.c | 5 +++++ 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/staging/vt6656/device.h b/drivers/staging/vt6656/device.h index 074b98dfac91..08294b21c4e9 100644 --- a/drivers/staging/vt6656/device.h +++ b/drivers/staging/vt6656/device.h @@ -250,7 +250,6 @@ struct vnt_usb_send_context { u8 pkt_type; u8 need_ack; bool in_use; - unsigned char data[MAX_TOTAL_SIZE_WITH_ALL_HEADERS]; }; /* diff --git a/drivers/staging/vt6656/rxtx.c b/drivers/staging/vt6656/rxtx.c index cf194c95df03..8f9904c8045c 100644 --- a/drivers/staging/vt6656/rxtx.c +++ b/drivers/staging/vt6656/rxtx.c @@ -73,9 +73,6 @@ static struct vnt_usb_send_context context = priv->tx_context[ii]; if (!context->in_use) { context->in_use = true; - memset(context->data, 0, - MAX_TOTAL_SIZE_WITH_ALL_HEADERS); - context->hdr = NULL; return context; diff --git a/drivers/staging/vt6656/usbpipe.c b/drivers/staging/vt6656/usbpipe.c index 904645fa0eb0..43f1ef32a9ce 100644 --- a/drivers/staging/vt6656/usbpipe.c +++ b/drivers/staging/vt6656/usbpipe.c @@ -463,6 +463,11 @@ int vnt_tx_context(struct vnt_private *priv, return -ENODEV; } + if (context->buf_len > MAX_TOTAL_SIZE_WITH_ALL_HEADERS) { + context->in_use = false; + return -E2BIG; + } + usb_fill_bulk_urb(urb, priv->usb, usb_sndbulkpipe(priv->usb, 3),