Fix an off by one in array bounds test, Coverity CID 1452930.
sys/dev/usb/usb.h contains:
/*
* Note: The length of the USB string descriptor is stored in a one byte
* value and can therefore be no longer than 255 bytes. Two bytes are
* used for the length itself and the descriptor type, a theoretical maximum
* of 253 bytes is left for the actual string data. Since the strings are
* encoded as 2-byte unicode characters, only 252 bytes or 126 two-byte
* characters can be used. USB_MAX_STRING_LEN is defined as 127, leaving
* space for the terminal '\0' character in C strings.
*/
struct usb_string_descriptor {
uByte bLength;
uByte bDescriptorType;
uWord bString[126];
} __packed;
typedef struct usb_string_descriptor usb_string_descriptor_t;
#define USB_MAX_STRING_LEN 127
Index: udl.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/udl.c,v
retrieving revision 1.87
diff -u -p -r1.87 udl.c
--- udl.c 8 Apr 2017 02:57:25 -0000 1.87
+++ udl.c 23 Aug 2017 04:10:36 -0000
@@ -1312,7 +1312,7 @@ udl_select_chip(struct udl_softc *sc)
s = &serialnum[0];
n = len / 2 - 1;
- for (i = 0; i < n && i < USB_MAX_STRING_LEN; i++) {
+ for (i = 0; i < n && i < nitems(us.bString); i++) {
c = UGETW(us.bString[i]);
/* Convert from Unicode, handle buggy strings. */
if ((c & 0xff00) == 0)
