[PATCH] usb: io_edgeport, cleanup to unicode handling

Clean up the unicode handling in io_edgeport. Make get_string size-limited.

Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index b606c59..c28f1f6 100644
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -142,7 +142,7 @@
 
 /* This structure holds all of the individual device information */
 struct edgeport_serial {
-	char			name[MAX_NAME_LEN+1];		/* string name of this device */
+	char			name[MAX_NAME_LEN+2];		/* string name of this device */
 
 	struct edge_manuf_descriptor	manuf_descriptor;	/* the manufacturer descriptor */
 	struct edge_boot_descriptor	boot_descriptor;	/* the boot firmware descriptor */
@@ -270,7 +270,7 @@
 static void get_boot_desc		(struct edgeport_serial *edge_serial);
 static void load_application_firmware	(struct edgeport_serial *edge_serial);
 
-static void unicode_to_ascii		(char *string, __le16 *unicode, int unicode_size);
+static void unicode_to_ascii(char *string, int buflen, __le16 *unicode, int unicode_size);
 
 
 // ************************************************************************
@@ -373,7 +373,7 @@
  *  Get string descriptor from device					*
  *									*
  ************************************************************************/
-static int get_string (struct usb_device *dev, int Id, char *string)
+static int get_string (struct usb_device *dev, int Id, char *string, int buflen)
 {
 	struct usb_string_descriptor StringDesc;
 	struct usb_string_descriptor *pStringDesc;
@@ -395,7 +395,7 @@
 		return 0;
 	}
 
-	unicode_to_ascii(string,  pStringDesc->wData,     pStringDesc->bLength/2-1);
+	unicode_to_ascii(string, buflen, pStringDesc->wData, pStringDesc->bLength/2);
 
 	kfree(pStringDesc);
 	return strlen(string);
@@ -2564,16 +2564,20 @@
  *	ASCII range, but it's only for debugging...
  *	NOTE: expects the unicode in LE format
  ****************************************************************************/
-static void unicode_to_ascii (char *string, __le16 *unicode, int unicode_size)
+static void unicode_to_ascii(char *string, int buflen, __le16 *unicode, int unicode_size)
 {
 	int i;
 
-	if (unicode_size <= 0)
+	if (buflen <= 0)	/* never happens, but... */
 		return;
+	--buflen;		/* space for nul */
 
-	for (i = 0; i < unicode_size; ++i)
+	for (i = 0; i < unicode_size; i++) {
+		if (i >= buflen)
+			break;
 		string[i] = (char)(le16_to_cpu(unicode[i]));
-	string[unicode_size] = 0x00;
+	}
+	string[i] = 0x00;
 }
 
 
@@ -2603,11 +2607,17 @@
 		dbg("  BoardRev:       %d", edge_serial->manuf_descriptor.BoardRev);
 		dbg("  NumPorts:       %d", edge_serial->manuf_descriptor.NumPorts);
 		dbg("  DescDate:       %d/%d/%d", edge_serial->manuf_descriptor.DescDate[0], edge_serial->manuf_descriptor.DescDate[1], edge_serial->manuf_descriptor.DescDate[2]+1900);
-		unicode_to_ascii (string, edge_serial->manuf_descriptor.SerialNumber, edge_serial->manuf_descriptor.SerNumLength/2-1);
+		unicode_to_ascii(string, 30,
+		    edge_serial->manuf_descriptor.SerialNumber,
+		    edge_serial->manuf_descriptor.SerNumLength/2);
 		dbg("  SerialNumber: %s", string);
-		unicode_to_ascii (string, edge_serial->manuf_descriptor.AssemblyNumber, edge_serial->manuf_descriptor.AssemblyNumLength/2-1);
+		unicode_to_ascii(string, 30,
+		    edge_serial->manuf_descriptor.AssemblyNumber,
+		    edge_serial->manuf_descriptor.AssemblyNumLength/2);
 		dbg("  AssemblyNumber: %s", string);
-		unicode_to_ascii (string, edge_serial->manuf_descriptor.OemAssyNumber, edge_serial->manuf_descriptor.OemAssyNumLength/2-1);
+		unicode_to_ascii(string, 30,
+		    edge_serial->manuf_descriptor.OemAssyNumber,
+		    edge_serial->manuf_descriptor.OemAssyNumLength/2);
 		dbg("  OemAssyNumber:  %s", string);
 		dbg("  UartType:       %d", edge_serial->manuf_descriptor.UartType);
 		dbg("  IonPid:         %d", edge_serial->manuf_descriptor.IonPid);
@@ -2735,11 +2745,11 @@
 	usb_set_serial_data(serial, edge_serial);
 
 	/* get the name for the device from the device */
-	if ( (i = get_string(dev, dev->descriptor.iManufacturer, &edge_serial->name[0])) != 0) {
-		edge_serial->name[i-1] = ' ';
-	}
-
-	get_string(dev, dev->descriptor.iProduct, &edge_serial->name[i]);
+	i = get_string(dev, dev->descriptor.iManufacturer,
+	    &edge_serial->name[0], MAX_NAME_LEN+1);
+	edge_serial->name[i++] = ' ';
+	get_string(dev, dev->descriptor.iProduct,
+	    &edge_serial->name[i], MAX_NAME_LEN+2 - i);
 
 	dev_info(&serial->dev->dev, "%s detected\n", edge_serial->name);