hi all,
drivers/usb/host/r8a66597-hcd.c:r8a66597_hub_descriptor can truncate
r8a66597.max_root_hub (of type unsigned int) to an unsigned char:
desc->bNbrPorts = r8a66597->max_root_hub;
based on the surrounding code my guess is that max_root_hub can simply
be turned into an unsigned char field as it can't hold a value bigger
than U8_MAX. in fact its value can't be bigger than 7 anyway since
later the code uses it like this:
desc->u.hs.DeviceRemovable[0] = ((1 << r8a66597->max_root_hub) - 1) <<
1;
can anyone tell me if this analysis is correct?
FTR, this issue was detected with the upcoming version of the size overflow
plugin we have in PaX/grsecurity and there're a handful of similar cases in
the tree where potentially unwanted or unnecessary integer truncations occur,
this being one of these. any opinion/help is welcome!
cheers,
PaX Team
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
