From: Kirill A. Korinsky <kirill@korins.ky>
Subject: sys/usb: fix potential buffer overflow from oversized USB chunks
To: OpenBSD tech <tech@openbsd.org>
Date: Wed, 02 Apr 2025 17:30:45 +0200

tech@,

I observed something that smells like buffer overflow issue. If a device
announces it will send n bytes but then actually sends a chunk larger
than n bytes, a kernel without DIAGNOSTIC appears to overwrite memory
past the buffer boundary. Conversely, with DIAGNOSTIC enabled, this
memory overwrite does not occur.

Am I wrong? Ok?

Index: sys/dev/usb/usbdi.c
===================================================================
RCS file: /home/cvs/src/sys/dev/usb/usbdi.c,v
diff -u -p -r1.111 usbdi.c
--- sys/dev/usb/usbdi.c	23 May 2024 03:21:09 -0000	1.111
+++ sys/dev/usb/usbdi.c	2 Apr 2025 15:30:06 -0000
@@ -749,13 +749,13 @@ usb_transfer_complete(struct usbd_xfer *
 	if (polling)
 		pipe->running = 0;
 
-#ifdef DIAGNOSTIC
 	if (xfer->actlen > xfer->length) {
+#ifdef DIAGNOSTIC
 		printf("%s: actlen > len %u > %u\n", __func__, xfer->actlen,
 		    xfer->length);
+#endif
 		xfer->actlen = xfer->length;
 	}
-#endif
 
 	if (usbd_xfer_isread(xfer) && xfer->actlen != 0 &&
 	    (xfer->flags & USBD_NO_COPY) == 0)