[U-Boot-Users] usb.c patch

5 Feb 2004

Hello,
Please find a little patch which corrects a buffer overflow in usb.c
Best regards
CHANGELOG:
Patch by Laurent MOHIN, 05 Feb 2004
- common/usb.c: buffer overflow correction

--- work/u-boot-1.0.0/common/usb.c      Thu Sep 18 11:21:35 2003
+++ work-lm/u-boot-1.0.0/common/usb.c   Thu Feb  5 17:07:38 2004
@@ -46,6 +46,7 @@
 #include <405gp_pci.h>
 #endif
+#define BUFFER_MAX_SIZE 512
#undef USB_DEBUG
@@ -386,7 +387,12 @@
                return -1;
        }
        tmp=swap_16(config->wTotalLength);
-
+ 
+   if (tmp > BUFFER_MAX_SIZE) {
+               USB_PRINTF("usb_get_configuration_no: failed to get 
descriptor - length too long %d\n",tmp);
+               return -1;
+   }
+ 
        result = usb_get_descriptor(dev, USB_DT_CONFIG, cfgno, buffer, 
tmp);
        USB_PRINTF("get_conf_no %d Result %d, wLength 
%d\n",cfgno,result,tmp);
        return result;
@@ -516,8 +522,8 @@
  */
 int usb_string(struct usb_device *dev, int index, char *buf, size_t size)
 {
-
-       unsigned char mybuf[256];
+ 
+       unsigned char mybuf[BUFFER_MAX_SIZE];
        unsigned char *tbuf;
        int err;
        unsigned int u, idx;
@@ -550,9 +556,15 @@
        if (err < 0)
                return err;
        u=tbuf[0];
        USB_PRINTF("Strn Len %d, index %d\n",u,index);
+
+   if (u > BUFFER_MAX_SIZE) {
+               USB_PRINTF("usb_string : failed to get string - length too 
long %d\n",u);
+               return -1;
+   }
+ 
        err = usb_get_string(dev, dev->string_langid, index, tbuf, u);
@@ -619,8 +631,8 @@
 {
        int addr, err;
        int tmp;
-       unsigned char tmpbuf[256];
-
+       unsigned char tmpbuf[BUFFER_MAX_SIZE];
+ 
        dev->descriptor.bMaxPacketSize0 = 8;  /* Start off at 8 bytes  */
        dev->maxpacketsize = 0;         /* Default to 8 byte max packet 
size */
        dev->epmaxpacketin [0] = 8;
@@ -895,7 +907,7 @@
int usb_hub_configure(struct usb_device *dev)
 {
-       unsigned char buffer[256], *bitmap;
+       unsigned char buffer[BUFFER_MAX_SIZE], *bitmap;
        struct usb_hub_descriptor *descriptor;
        struct usb_hub_status *hubsts;
        int i;
@@ -912,7 +924,13 @@
                return -1;
        }
        descriptor = (struct usb_hub_descriptor *)buffer;
-       if (usb_get_hub_descriptor(dev, buffer, descriptor->bLength) < 0) 
{
+
+   if (descriptor->bLength > BUFFER_MAX_SIZE) {
+               USB_HUB_PRINTF("usb_hub_configure: failed to get hub 
descriptor - length too long %d\n",descriptor->bLength);
+               return -1;
+   }
+ 
+   if (usb_get_hub_descriptor(dev, buffer, descriptor->bLength) < 0) {
                USB_HUB_PRINTF("usb_hub_configure: failed to get hub 
descriptor 2nd giving up %lX\n",dev->status);
                return -1;
        }
@@ -968,7 +986,13 @@
        for (i = 0; i < dev->maxchild; i++)
                USB_HUB_PRINTF("port %d is%s removable\n", i + 1,
                        hub->desc.DeviceRemovable[(i + 1)/8] & (1 << ((i + 
1)%8)) ? " not" : "");
-       if (usb_get_hub_status(dev, buffer) < 0) {
+
+   if (sizeof(struct usb_hub_status) > BUFFER_MAX_SIZE) {
+               USB_HUB_PRINTF("usb_hub_configure: failed to get Status - 
length too long %d\n",descriptor->bLength);
+               return -1;
+   }
+ 
+   if (usb_get_hub_status(dev, buffer) < 0) {
                USB_HUB_PRINTF("usb_hub_configure: failed to get Status 
%lX\n",dev->status);
                return -1;
        }

    

Laurent Mohin

Wolfgang Denk

tags (0)

participants (2)