Re: [PATCH] usb: gadget: configfs: fix 1-byte OOB read in ext_prop_data_show()

Next message: Miguel Ojeda: "Re: [RFC PATCH] [RFC PATCH] iio: position: rust: add initial AS5600 driver"
Previous message: pr-tracker-bot: "Re: [GIT PULL] Crypto Fixes for 7.1"
In reply to: Bingquan Chen: "[PATCH] usb: gadget: configfs: fix 1-byte OOB read in ext_prop_data_show()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kees Cook

Date: Tue Apr 21 2026 - 12:29:28 EST

On Tue, Apr 21, 2026 at 10:10:10PM +0800, Bingquan Chen wrote:
> In ext_prop_data_store(), for unicode property types, the data buffer
> is allocated via kmemdup() with size 'len', but data_len is inflated
> to len*2+2 to account for the UTF-16 encoding and a 2-byte null
> terminator. The null terminator is not actually stored in the data
> buffer.

Isn't the problem the "+2" in the size calculation? The terminator is
never stored nor used.

--
Kees Cook