Module Name: src
Committed By: martin
Date: Thu Nov 23 13:16:21 UTC 2017
Modified Files:
src/sys/dev/usb [netbsd-8]: if_urtwn.c
Log Message:
Pull up following revision(s) (requested by skrll in ticket #383):
sys/dev/usb/if_urtwn.c: revision 1.55
PR/52702 Malicious USB devices attaching as urtwn(4) can corrupt kernel memory
Patch from PR slighly updated by me
To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.53.2.1 src/sys/dev/usb/if_urtwn.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/usb/if_urtwn.c
diff -u src/sys/dev/usb/if_urtwn.c:1.53 src/sys/dev/usb/if_urtwn.c:1.53.2.1
--- src/sys/dev/usb/if_urtwn.c:1.53 Wed May 3 15:34:05 2017
+++ src/sys/dev/usb/if_urtwn.c Thu Nov 23 13:16:21 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: if_urtwn.c,v 1.53 2017/05/03 15:34:05 jnemeth Exp $ */
+/* $NetBSD: if_urtwn.c,v 1.53.2.1 2017/11/23 13:16:21 martin Exp $ */
/* $OpenBSD: if_urtwn.c,v 1.42 2015/02/10 23:25:46 mpi Exp $ */
/*-
@@ -25,7 +25,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_urtwn.c,v 1.53 2017/05/03 15:34:05 jnemeth Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_urtwn.c,v 1.53.2.1 2017/11/23 13:16:21 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -589,8 +589,8 @@ static int
urtwn_open_pipes(struct urtwn_softc *sc)
{
/* Bulk-out endpoints addresses (from highest to lowest prio). */
- static uint8_t epaddr[3];
- static uint8_t rxepaddr[3];
+ static uint8_t epaddr[R92C_MAX_EPOUT];
+ static uint8_t rxepaddr[R92C_MAX_EPIN];
usb_interface_descriptor_t *id;
usb_endpoint_descriptor_t *ed;
size_t i, ntx = 0, nrx = 0;
@@ -602,26 +602,32 @@ urtwn_open_pipes(struct urtwn_softc *sc)
id = usbd_get_interface_descriptor(sc->sc_iface);
for (i = 0; i < id->bNumEndpoints; i++) {
ed = usbd_interface2endpoint_descriptor(sc->sc_iface, i);
- if (ed != NULL &&
- UE_GET_XFERTYPE(ed->bmAttributes) == UE_BULK &&
- UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_OUT) {
- epaddr[ntx] = ed->bEndpointAddress;
+ if (ed == NULL || UE_GET_XFERTYPE(ed->bmAttributes) != UE_BULK) {
+ continue;
+ }
+ if (UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_OUT) {
+ if (ntx < sizeof(epaddr))
+ epaddr[ntx] = ed->bEndpointAddress;
ntx++;
}
- if (ed != NULL &&
- UE_GET_XFERTYPE(ed->bmAttributes) == UE_BULK &&
- UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_IN) {
- rxepaddr[nrx] = ed->bEndpointAddress;
+ if (UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_IN) {
+ if (nrx < sizeof(rxepaddr))
+ rxepaddr[nrx] = ed->bEndpointAddress;
nrx++;
}
}
- DPRINTFN(DBG_INIT, ("%s: %s: found %zd bulk-out pipes\n",
- device_xname(sc->sc_dev), __func__, ntx));
+ if (nrx == 0 || nrx > R92C_MAX_EPIN) {
+ aprint_error_dev(sc->sc_dev,
+ "%zd: invalid number of Rx bulk pipes\n", nrx);
+ return EIO;
+ }
if (ntx == 0 || ntx > R92C_MAX_EPOUT) {
aprint_error_dev(sc->sc_dev,
"%zd: invalid number of Tx bulk pipes\n", ntx);
return EIO;
}
+ DPRINTFN(DBG_INIT, ("%s: %s: found %zd/%zd bulk-in/out pipes\n",
+ device_xname(sc->sc_dev), __func__, nrx, ntx));
sc->rx_npipe = nrx;
sc->tx_npipe = ntx;
