USB: usbfs: only copy the actual data received

We need to only copy the data received by the device to userspace, not
the whole kernel buffer, which can contain "stale" data.

Thanks to Marcus Meissner for pointing this out and testing the fix.

Reported-by: Marcus Meissner <meissner@suse.de>
Tested-by: Marcus Meissner <meissner@suse.de>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 6e8bcdfd23b41ee8435efbbb5e6bfadeb8095eb3..ca948bbc388fa8d3f53e54d960dc3e56a556b21b 100644 (file)
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1312,9 +1312,9 @@ static int processcompl(struct async *as, void __user * __user *arg)
        void __user *addr = as->userurb;
        unsigned int i;
 
-       if (as->userbuffer)
+       if (as->userbuffer && urb->actual_length)
                if (copy_to_user(as->userbuffer, urb->transfer_buffer,
-                                urb->transfer_buffer_length))
+                                urb->actual_length))
                        goto err_out;
        if (put_user(as->status, &userurb->status))
                goto err_out;
@@ -1475,9 +1475,9 @@ static int processcompl_compat(struct async *as, void __user * __user *arg)
        void __user *addr = as->userurb;
        unsigned int i;
 
-       if (as->userbuffer)
+       if (as->userbuffer && urb->actual_length)
                if (copy_to_user(as->userbuffer, urb->transfer_buffer,
-                                urb->transfer_buffer_length))
+                                urb->actual_length))
                        return -EFAULT;
        if (put_user(as->status, &userurb->status))
                return -EFAULT;