https://git.reactos.org/?p=reactos.git;a=commitdiff;h=ac20ab031ca08a031b2dea321ba50ee4c86b18c4
commit ac20ab031ca08a031b2dea321ba50ee4c86b18c4
Author: Thomas Faber <thomas.fa...@reactos.org>
AuthorDate: Wed Mar 6 09:57:23 2019 +0100
Commit: Thomas Faber <thomas.fa...@reactos.org>
CommitDate: Mon Mar 11 08:53:55 2019 +0100
[USBPORT] Correctly handle alternate settings returned from
USBPORT_ParseConfigurationDescriptor.
The last parameter of USBPORT_ParseConfigurationDescriptor is a pointer
to a boolean indicating whether any alternate interface settings were
found for the specified interface.
Interpreting it as an alternate setting value, as we did before,
would always override the alternate setting to '1' (if any alternate
descriptors were present), therefore selecting the wrong interface
setting, and possibly causing a buffer overflow on the InterfaceList's
Pipes array.
Found by Special Pool.
---
drivers/usb/usbport/device.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/usb/usbport/device.c b/drivers/usb/usbport/device.c
index 5662a6141a..8676571985 100644
--- a/drivers/usb/usbport/device.c
+++ b/drivers/usb/usbport/device.c
@@ -186,7 +186,7 @@ NTAPI
USBPORT_ParseConfigurationDescriptor(IN PUSB_CONFIGURATION_DESCRIPTOR
ConfigDescriptor,
IN UCHAR InterfaceNumber,
IN UCHAR Alternate,
- OUT PUCHAR OutAlternate)
+ OUT PBOOLEAN HasAlternates)
{
PUSB_CONFIGURATION_DESCRIPTOR TmpDescriptor;
PUSB_INTERFACE_DESCRIPTOR iDescriptor;
@@ -197,8 +197,8 @@ USBPORT_ParseConfigurationDescriptor(IN
PUSB_CONFIGURATION_DESCRIPTOR ConfigDesc
DPRINT("USBPORT_ParseConfigurationDescriptor ... \n");
- if (OutAlternate)
- *OutAlternate = 0;
+ if (HasAlternates)
+ *HasAlternates = FALSE;
for (TmpDescriptor =
(PUSB_CONFIGURATION_DESCRIPTOR)((ULONG_PTR)ConfigDescriptor +
ConfigDescriptor->bLength);
TmpDescriptor->bDescriptorType != USB_INTERFACE_DESCRIPTOR_TYPE &&
TmpDescriptor->bLength > 0;
@@ -235,8 +235,8 @@ USBPORT_ParseConfigurationDescriptor(IN
PUSB_CONFIGURATION_DESCRIPTOR ConfigDesc
++ix;
}
- if ((ix > 1) && OutAlternate)
- *OutAlternate = 1;
+ if ((ix > 1) && HasAlternates)
+ *HasAlternates = TRUE;
return OutDescriptor;
}
@@ -256,6 +256,7 @@ USBPORT_OpenInterface(IN PURB Urb,
PUSBPORT_PIPE_HANDLE PipeHandle;
PUSB_ENDPOINT_DESCRIPTOR Descriptor;
PUSBD_PIPE_INFORMATION PipeInfo;
+ BOOLEAN HasAlternates;
ULONG NumEndpoints;
SIZE_T Length;
SIZE_T HandleLength;
@@ -271,14 +272,14 @@ USBPORT_OpenInterface(IN PURB Urb,
InterfaceDescriptor =
USBPORT_ParseConfigurationDescriptor(ConfigHandle->ConfigurationDescriptor,
InterfaceInfo->InterfaceNumber,
InterfaceInfo->AlternateSetting,
-
&InterfaceInfo->AlternateSetting);
+ &HasAlternates);
NumEndpoints = InterfaceDescriptor->bNumEndpoints;
Length = FIELD_OFFSET(USBD_INTERFACE_INFORMATION, Pipes) +
NumEndpoints * sizeof(USBD_PIPE_INFORMATION);
- if (InterfaceInfo->AlternateSetting && IsSetInterface)
+ if (HasAlternates && IsSetInterface)
{
DPRINT1("USBPORT_OpenInterface: InterfaceInfo->AlternateSetting &&
IsSetInterface !\n");
}
@@ -491,7 +492,7 @@ USBPORT_InitInterfaceInfo(IN PUSBD_INTERFACE_INFORMATION
InterfaceInfo,
Descriptor =
USBPORT_ParseConfigurationDescriptor(ConfigHandle->ConfigurationDescriptor,
InterfaceInfo->InterfaceNumber,
InterfaceInfo->AlternateSetting,
-
&InterfaceInfo->AlternateSetting);
+ NULL);
Length = sizeof(USBD_INTERFACE_INFORMATION) +
sizeof(USBD_PIPE_INFORMATION);
