From owner-freebsd-usb@FreeBSD.ORG Fri Dec 8 11:40:46 2006 Return-Path: X-Original-To: freebsd-usb@FreeBSD.org Delivered-To: freebsd-usb@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 295EF16A412; Fri, 8 Dec 2006 11:40:46 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3161643C9D; Fri, 8 Dec 2006 11:39:47 +0000 (GMT) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=nA07J5JM25UC7a7343Ud7FzvHMz01mBx3GRl8zx71qYFYAZhX6c66hoHnWN4a4SJeSnpkggO0tV7xu7/2hklT4jHH+JU+dLhb9+NjLtKiFt0eWWYkwGJ+RpyVkZJ4uSysLD7L1kiwakWQKP65pu5pjND9wto93a9N/xjBJB7PS8=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1Gse5p-000CXg-NP; Fri, 08 Dec 2006 14:40:43 +0300 Date: Fri, 8 Dec 2006 14:40:36 +0300 From: Eygene Ryabinkin To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-usb@FreeBSD.org Message-ID: <20061208114036.GA1218@codelabs.ru> References: <200612070540.kB75eCsg001938@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200612070540.kB75eCsg001938@freefall.freebsd.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-1.6 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_50 Cc: Subject: Re: usb/106435: Possible buffer overflow in dev/usb/ums.c X-BeenThere: freebsd-usb@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: FreeBSD support for USB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2006 11:40:46 -0000 Sorry, missed the double quote in the patch. The real patch should be: --- ums.c.orig Tue Dec 5 13:29:34 2006 +++ ums.c Tue Dec 5 13:31:40 2006 @@ -431,9 +431,10 @@ #define UMS_BUT(i) ((i) < 3 ? (((i) + 2) % 3) : (i)) DPRINTFN(5, ("ums_intr: sc=%p status=%d\n", sc, status)); - DPRINTFN(5, ("ums_intr: data = %02x %02x %02x %02x %02x %02x\n", - sc->sc_ibuf[0], sc->sc_ibuf[1], sc->sc_ibuf[2], - sc->sc_ibuf[3], sc->sc_ibuf[4], sc->sc_ibuf[5])); + DPRINTFN(5, ("ums_intr: data =")); + for (i = 0; i < sc->sc_isize; i++) + DPRINTFN(5, (" %02x", sc->sc_ibuf[i])); + DPRINTFN(5, ("\n")); if (status == USBD_CANCELLED) return; -- Eygene