Hello,
Please find a little patch which corrects a buffer overflow in usb.c
Best regards
CHANGELOG: Patch by Laurent MOHIN, 05 Feb 2004 - common/usb.c: buffer overflow correction
--- work/u-boot-1.0.0/common/usb.c Thu Sep 18 11:21:35 2003 +++ work-lm/u-boot-1.0.0/common/usb.c Thu Feb 5 17:07:38 2004 @@ -46,6 +46,7 @@ #include <405gp_pci.h> #endif
+#define BUFFER_MAX_SIZE 512
#undef USB_DEBUG
@@ -386,7 +387,12 @@ return -1; } tmp=swap_16(config->wTotalLength); - + + if (tmp > BUFFER_MAX_SIZE) { + USB_PRINTF("usb_get_configuration_no: failed to get descriptor - length too long %d\n",tmp); + return -1; + } + result = usb_get_descriptor(dev, USB_DT_CONFIG, cfgno, buffer, tmp); USB_PRINTF("get_conf_no %d Result %d, wLength %d\n",cfgno,result,tmp); return result; @@ -516,8 +522,8 @@ */ int usb_string(struct usb_device *dev, int index, char *buf, size_t size) { - - unsigned char mybuf[256]; + + unsigned char mybuf[BUFFER_MAX_SIZE]; unsigned char *tbuf; int err; unsigned int u, idx; @@ -550,9 +556,15 @@ if (err < 0) return err; u=tbuf[0]; USB_PRINTF("Strn Len %d, index %d\n",u,index); + + if (u > BUFFER_MAX_SIZE) { + USB_PRINTF("usb_string : failed to get string - length too long %d\n",u); + return -1; + } + err = usb_get_string(dev, dev->string_langid, index, tbuf, u); @@ -619,8 +631,8 @@ { int addr, err; int tmp; - unsigned char tmpbuf[256]; - + unsigned char tmpbuf[BUFFER_MAX_SIZE]; + dev->descriptor.bMaxPacketSize0 = 8; /* Start off at 8 bytes */ dev->maxpacketsize = 0; /* Default to 8 byte max packet size */ dev->epmaxpacketin [0] = 8; @@ -895,7 +907,7 @@
int usb_hub_configure(struct usb_device *dev) { - unsigned char buffer[256], *bitmap; + unsigned char buffer[BUFFER_MAX_SIZE], *bitmap; struct usb_hub_descriptor *descriptor; struct usb_hub_status *hubsts; int i; @@ -912,7 +924,13 @@ return -1; } descriptor = (struct usb_hub_descriptor *)buffer; - if (usb_get_hub_descriptor(dev, buffer, descriptor->bLength) < 0) { + + if (descriptor->bLength > BUFFER_MAX_SIZE) { + USB_HUB_PRINTF("usb_hub_configure: failed to get hub descriptor - length too long %d\n",descriptor->bLength); + return -1; + } + + if (usb_get_hub_descriptor(dev, buffer, descriptor->bLength) < 0) { USB_HUB_PRINTF("usb_hub_configure: failed to get hub descriptor 2nd giving up %lX\n",dev->status); return -1; } @@ -968,7 +986,13 @@ for (i = 0; i < dev->maxchild; i++) USB_HUB_PRINTF("port %d is%s removable\n", i + 1, hub->desc.DeviceRemovable[(i + 1)/8] & (1 << ((i + 1)%8)) ? " not" : ""); - if (usb_get_hub_status(dev, buffer) < 0) { + + if (sizeof(struct usb_hub_status) > BUFFER_MAX_SIZE) { + USB_HUB_PRINTF("usb_hub_configure: failed to get Status - length too long %d\n",descriptor->bLength); + return -1; + } + + if (usb_get_hub_status(dev, buffer) < 0) { USB_HUB_PRINTF("usb_hub_configure: failed to get Status %lX\n",dev->status); return -1; }