Subject: Re: kern/24636 potential invalid memory access in usbd_transfer
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Matthew Orgass <darkstar@city-net.com>
List: netbsd-bugs
Date: 11/21/2006 17:50:02
The following reply was made to PR kern/24636; it has been noted by GNATS.
From: Matthew Orgass <darkstar@city-net.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/24636 potential invalid memory access in usbd_transfer
Date: Tue, 21 Nov 2006 12:07:08 -0500 (EST)
Improved patch:
Index: sys/dev/usb/usbdi.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/usbdi.c,v
retrieving revision 1.113
diff -u -p -r1.113 usbdi.c
--- sys/dev/usb/usbdi.c 12 Oct 2006 01:32:00 -0000 1.113
+++ sys/dev/usb/usbdi.c 21 Nov 2006 17:43:39 -0000
@@ -284,10 +284,10 @@ usbd_transfer(usbd_xfer_handle xfer)
usbd_pipe_handle pipe = xfer->pipe;
usb_dma_t *dmap = &xfer->dmabuf;
usbd_status err;
- u_int size;
+ unsigned int size, flags;
int s;
- DPRINTFN(5,("usbd_transfer: xfer=%p, flags=%d, pipe=%p, running=%d\n",
+ DPRINTFN(5,("usbd_transfer: xfer=%p, flags=%#x, pipe=%p, running=%d\n",
xfer, xfer->flags, pipe, pipe->running));
#ifdef USB_DEBUG
if (usbdebug > 5)
@@ -313,11 +313,13 @@ usbd_transfer(usbd_xfer_handle xfer)
xfer->rqflags |= URQ_AUTO_DMABUF;
}
+ flags = xfer->flags;
+
/* Copy data if going out. */
- if (!(xfer->flags & USBD_NO_COPY) && size != 0 &&
- !usbd_xfer_isread(xfer))
+ if (!(flags & USBD_NO_COPY) && size != 0 && !usbd_xfer_isread(xfer))
memcpy(KERNADDR(dmap, 0), xfer->buffer, size);
+ /* xfer is not valid after the transfer method unless synchronous */
err = pipe->methods->transfer(xfer);
if (err != USBD_IN_PROGRESS && err) {
@@ -330,7 +332,7 @@ usbd_transfer(usbd_xfer_handle xfer)
}
}
- if (!(xfer->flags & USBD_SYNCHRONOUS))
+ if (!(flags & USBD_SYNCHRONOUS))
return (err);
/* Sync transfer, wait for completion. */