ChangeSet 1.1557.49.2, 2004/02/16 16:55:03-08:00, pmarques@grupopie.com [PATCH] USB: fix usblp.c The line that IMHO triggers the bug is this: "writecount += usblp->writeurb->transfer_buffer_length;" It uses "usblp->writeurb->transfer_buffer_length" before initializing it, assuming that it will be zero on the first run. If it is not zero, but instead random *negative* garbage from memory, the loop will start printing endless data from user-space data. drivers/usb/class/usblp.c | 20 ++++++++------------ 1 files changed, 8 insertions(+), 12 deletions(-) diff -Nru a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c --- a/drivers/usb/class/usblp.c Thu Feb 19 17:22:57 2004 +++ b/drivers/usb/class/usblp.c Thu Feb 19 17:22:57 2004 @@ -603,7 +603,7 @@ { DECLARE_WAITQUEUE(wait, current); struct usblp *usblp = file->private_data; - int timeout, err = 0; + int timeout, err = 0, transfer_length; size_t writecount = 0; while (writecount < count) { @@ -654,19 +654,13 @@ continue; } - writecount += usblp->writeurb->transfer_buffer_length; - usblp->writeurb->transfer_buffer_length = 0; + transfer_length=(count - writecount); + if (transfer_length > USBLP_BUF_SIZE) + transfer_length = USBLP_BUF_SIZE; - if (writecount == count) { - up (&usblp->sem); - break; - } + usblp->writeurb->transfer_buffer_length = transfer_length; - usblp->writeurb->transfer_buffer_length = (count - writecount) < USBLP_BUF_SIZE ? - (count - writecount) : USBLP_BUF_SIZE; - - if (copy_from_user(usblp->writeurb->transfer_buffer, buffer + writecount, - usblp->writeurb->transfer_buffer_length)) { + if (copy_from_user(usblp->writeurb->transfer_buffer, buffer + writecount, transfer_length)) { up(&usblp->sem); return writecount ? writecount : -EFAULT; } @@ -683,6 +677,8 @@ break; } up (&usblp->sem); + + writecount += transfer_length; } return count;