Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer

22 Jun 2025


      On June 22, 2025 6:39:56 AM PDT, Dominique Martinet via B4 Relay devnull+asmadeus.codewreck.org@kernel.org wrote:
...
[...]
Add validation in usb9pfs_rx_complete() to ensure req->actual does not
exceed the buffer capacity before copying data.
[...]

if (req_size > p9_rx_req->rc.capacity) {
dev_err(&cdev->gadget->dev,


	"%s received data size %u exceeds buffer capacity %zu\n",


	ep->name, req_size, p9_rx_req->rc.capacity);


req_size = 0;


status = REQ_STATUS_ERROR;


}


p9_rx_req->rc.size = req->actual;


memcpy(p9_rx_req->rc.sdata, req->buf, req_size);

Is rc.sdata always rc.capacity sized? If so, this world be a good first adopter of the __counted_by annotation for pointer struct members, available in Clang trunk and soon in GCC:
https://gcc.gnu.org/pipermail/gcc-patches/2025-May/683696.html
-Kees
-- 
Kees Cook

2025

2024

2023

2022

2021

2020

2019

2018

2017

Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer