diff --git a/drivers/usb/gadget/android.c b/drivers/usb/gadget/android.c index a86e0495146..8d58833c146 100644 --- a/drivers/usb/gadget/android.c +++ b/drivers/usb/gadget/android.c @@ -320,7 +320,7 @@ static ssize_t clients_store( struct device *device, struct device_attribute *attr, const char *buff, size_t size) { - strncpy(diag_clients, buff, sizeof(diag_clients)); + strlcpy(diag_clients, buff, sizeof(diag_clients)); return size; } @@ -348,7 +348,7 @@ static int diag_function_bind_config(struct android_usb_function *f, int once = 0, err = -1; int (*notify)(uint32_t, const char *) = NULL; - strncpy(buf, diag_clients, sizeof(buf)); + strlcpy(buf, diag_clients, sizeof(buf)); b = strim(buf); while (b) { @@ -381,7 +381,7 @@ static ssize_t serial_transports_store( struct device *device, struct device_attribute *attr, const char *buff, size_t size) { - strncpy(serial_transports, buff, sizeof(serial_transports)); + strlcpy(serial_transports, buff, sizeof(serial_transports)); return size; } @@ -407,7 +407,7 @@ static int serial_function_bind_config(struct android_usb_function *f, goto bind_config; serial_initialized = 1; - strncpy(buf, serial_transports, sizeof(buf)); + strlcpy(buf, serial_transports, sizeof(buf)); b = strim(buf); while (b) { @@ -673,7 +673,7 @@ static ssize_t rndis_manufacturer_show(struct device *dev, { struct android_usb_function *f = dev_get_drvdata(dev); struct rndis_function_config *config = f->config; - return sprintf(buf, "%s\n", config->manufacturer); + return snprintf(buf, PAGE_SIZE, "%s\n", config->manufacturer); } static ssize_t rndis_manufacturer_store(struct device *dev, @@ -684,7 +684,7 @@ static ssize_t rndis_manufacturer_store(struct device *dev, if (size >= sizeof(config->manufacturer)) return -EINVAL; - if (sscanf(buf, "%s", config->manufacturer) == 1) + if (sscanf(buf, "%255s", config->manufacturer) == 1) return size; return -1; } @@ -697,7 +697,7 @@ static ssize_t rndis_wceis_show(struct device *dev, { struct android_usb_function *f = dev_get_drvdata(dev); struct rndis_function_config *config = f->config; - return sprintf(buf, "%d\n", config->wceis); + return snprintf(buf, PAGE_SIZE, "%d\n", config->wceis); } static ssize_t rndis_wceis_store(struct device *dev, @@ -722,7 +722,7 @@ static ssize_t rndis_ethaddr_show(struct device *dev, { struct android_usb_function *f = dev_get_drvdata(dev); struct rndis_function_config *rndis = f->config; - return sprintf(buf, "%02x:%02x:%02x:%02x:%02x:%02x\n", + return snprintf(buf, PAGE_SIZE, "%02x:%02x:%02x:%02x:%02x:%02x\n", rndis->ethaddr[0], rndis->ethaddr[1], rndis->ethaddr[2], rndis->ethaddr[3], rndis->ethaddr[4], rndis->ethaddr[5]); } @@ -749,7 +749,7 @@ static ssize_t rndis_vendorID_show(struct device *dev, { struct android_usb_function *f = dev_get_drvdata(dev); struct rndis_function_config *config = f->config; - return sprintf(buf, "%04x\n", config->vendorID); + return snprintf(buf, PAGE_SIZE, "%04x\n", config->vendorID); } static ssize_t rndis_vendorID_store(struct device *dev, @@ -844,7 +844,7 @@ static ssize_t mass_storage_inquiry_show(struct device *dev, { struct android_usb_function *f = dev_get_drvdata(dev); struct mass_storage_function_config *config = f->config; - return sprintf(buf, "%s\n", config->common->inquiry_string); + return snprintf(buf, PAGE_SIZE, "%s\n", config->common->inquiry_string); } static ssize_t mass_storage_inquiry_store(struct device *dev, @@ -854,7 +854,7 @@ static ssize_t mass_storage_inquiry_store(struct device *dev, struct mass_storage_function_config *config = f->config; if (size >= sizeof(config->common->inquiry_string)) return -EINVAL; - if (sscanf(buf, "%s", config->common->inquiry_string) != 1) + if (sscanf(buf, "%28s", config->common->inquiry_string) != 1) return -EINVAL; return size; } @@ -935,7 +935,7 @@ static int android_init_functions(struct android_usb_function **functions, struct android_usb_function *f; struct device_attribute **attrs; struct device_attribute *attr; - int err; + int err = 0; int index = 0; for (; (f = *functions++); index++) { @@ -1048,7 +1048,7 @@ functions_show(struct device *pdev, struct device_attribute *attr, char *buf) char *buff = buf; list_for_each_entry(f, &dev->enabled_functions, enabled_list) - buff += sprintf(buff, "%s,", f->name); + buff += snprintf(buff, PAGE_SIZE, "%s,", f->name); if (buff != buf) *(buff-1) = '\n'; return buff - buf; @@ -1065,7 +1065,7 @@ functions_store(struct device *pdev, struct device_attribute *attr, INIT_LIST_HEAD(&dev->enabled_functions); - strncpy(buf, buff, sizeof(buf)); + strlcpy(buf, buff, sizeof(buf)); b = strim(buf); while (b) { @@ -1084,7 +1084,7 @@ static ssize_t enable_show(struct device *pdev, struct device_attribute *attr, char *buf) { struct android_dev *dev = dev_get_drvdata(pdev); - return sprintf(buf, "%d\n", dev->enabled); + return snprintf(buf, PAGE_SIZE, "%d\n", dev->enabled); } static ssize_t enable_store(struct device *pdev, struct device_attribute *attr, @@ -1138,7 +1138,7 @@ static ssize_t state_show(struct device *pdev, struct device_attribute *attr, state = "CONNECTED"; spin_unlock_irqrestore(&cdev->lock, flags); out: - return sprintf(buf, "%s\n", state); + return snprintf(buf, PAGE_SIZE, "%s\n", state); } #define DESCRIPTOR_ATTR(field, format_string) \ @@ -1146,7 +1146,8 @@ static ssize_t \ field ## _show(struct device *dev, struct device_attribute *attr, \ char *buf) \ { \ - return sprintf(buf, format_string, device_desc.field); \ + return snprintf(buf, PAGE_SIZE, \ + format_string, device_desc.field); \ } \ static ssize_t \ field ## _store(struct device *dev, struct device_attribute *attr, \ @@ -1166,14 +1167,14 @@ static ssize_t \ field ## _show(struct device *dev, struct device_attribute *attr, \ char *buf) \ { \ - return sprintf(buf, "%s", buffer); \ + return snprintf(buf, PAGE_SIZE, "%s", buffer); \ } \ static ssize_t \ field ## _store(struct device *dev, struct device_attribute *attr, \ const char *buf, size_t size) \ { \ if (size >= sizeof(buffer)) return -EINVAL; \ - if (sscanf(buf, "%s", buffer) == 1) { \ + if (sscanf(buf, "%255s", buffer) == 1) { \ return size; \ } \ return -1; \ @@ -1261,9 +1262,10 @@ static int android_bind(struct usb_composite_dev *cdev) device_desc.iProduct = id; /* Default strings - should be updated by userspace */ - strncpy(manufacturer_string, "Android", sizeof(manufacturer_string) - 1); - strncpy(product_string, "Android", sizeof(product_string) - 1); - strncpy(serial_string, "0123456789ABCDEF", sizeof(serial_string) - 1); + strlcpy(manufacturer_string, "Android", + sizeof(manufacturer_string) - 1); + strlcpy(product_string, "Android", sizeof(product_string) - 1); + strlcpy(serial_string, "0123456789ABCDEF", sizeof(serial_string) - 1); id = usb_string_id(cdev); if (id < 0) diff --git a/drivers/usb/gadget/f_rmnet.c b/drivers/usb/gadget/f_rmnet.c index ebbd1d8aecf..69f158a6812 100644 --- a/drivers/usb/gadget/f_rmnet.c +++ b/drivers/usb/gadget/f_rmnet.c @@ -701,6 +701,9 @@ static int frmnet_bind(struct usb_configuration *c, struct usb_function *f) f->descriptors = usb_copy_descriptors(rmnet_fs_function); + if (!f->descriptors) + goto fail; + dev->fs.in = usb_find_endpoint(rmnet_fs_function, f->descriptors, &rmnet_fs_in_desc); @@ -722,6 +725,9 @@ static int frmnet_bind(struct usb_configuration *c, struct usb_function *f) /* copy descriptors, and track endpoint copies */ f->hs_descriptors = usb_copy_descriptors(rmnet_hs_function); + if (!f->hs_descriptors) + goto fail; + dev->hs.in = usb_find_endpoint(rmnet_hs_function, f->hs_descriptors, &rmnet_hs_in_desc); dev->hs.out = usb_find_endpoint(rmnet_hs_function, @@ -737,6 +743,9 @@ static int frmnet_bind(struct usb_configuration *c, struct usb_function *f) return 0; +fail: + if (f->descriptors) + usb_free_descriptors(f->descriptors); ep_notify_alloc_fail: dev->notify->driver_data = NULL; dev->notify = NULL;