Hi all,
This patch adds the usb control request validity checks
already present in ugen(4) to usb(4).
Grant
Index: usb.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/usb.c,v
retrieving revision 1.107
diff -u -p -r1.107 usb.c
--- usb.c 14 Mar 2015 03:38:50 -0000 1.107
+++ usb.c 31 Aug 2015 19:37:22 -0000
@@ -622,7 +622,15 @@ usbioctl(dev_t devt, u_long cmd, caddr_t
return (EBADF);
DPRINTF(("usbioctl: USB_REQUEST addr=%d len=%d\n", addr, len));
- if (len < 0 || len > 32768)
+ /* Avoid requests that would damage the bus integrity. */
+ if ((ur->ucr_request.bmRequestType == UT_WRITE_DEVICE &&
+ ur->ucr_request.bRequest == UR_SET_ADDRESS) ||
+ (ur->ucr_request.bmRequestType == UT_WRITE_DEVICE &&
+ ur->ucr_request.bRequest == UR_SET_CONFIG) ||
+ (ur->ucr_request.bmRequestType == UT_WRITE_INTERFACE &&
+ ur->ucr_request.bRequest == UR_SET_INTERFACE))
+ return (EINVAL);
+ if (len < 0 || len > 32767)
return (EINVAL);
if (addr < 0 || addr >= USB_MAX_DEVICES)
return (EINVAL);
