[src/trunk]: src/sys/dev/usb CID 1125827: Avoid buffer overrun (read past end...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/299e11e5883b
branches:  trunk
changeset: 791336:299e11e5883b
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Nov 13 21:36:57 2013 +0000

description:
CID 1125827: Avoid buffer overrun (read past end of struct)

diffstat:

 sys/dev/usb/xhci.c |  14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

diffs (57 lines):

diff -r 40770081f534 -r 299e11e5883b sys/dev/usb/xhci.c
--- a/sys/dev/usb/xhci.c        Wed Nov 13 21:25:40 2013 +0000
+++ b/sys/dev/usb/xhci.c        Wed Nov 13 21:36:57 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xhci.c,v 1.8 2013/11/10 03:38:58 mrg Exp $     */
+/*     $NetBSD: xhci.c,v 1.9 2013/11/13 21:36:57 christos Exp $        */
 
 /*
  * Copyright (c) 2013 Jonathan A. Kollasch
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.8 2013/11/10 03:38:58 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.9 2013/11/13 21:36:57 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -2098,13 +2098,13 @@
                                goto ret;
                        }
                        totlen = l = min(len, USB_DEVICE_DESCRIPTOR_SIZE);
-                       memcpy(buf, &xhci_devd, l);
+                       memcpy(buf, &xhci_devd, min(l, sizeof(xhci_devd)));
                        break;
                case UDESC_DEVICE_QUALIFIER:
                        if ((value & 0xff) != 0) {
                        }
                        totlen = l = min(len, USB_DEVICE_DESCRIPTOR_SIZE);
-                       memcpy(buf, &xhci_odevd, l);
+                       memcpy(buf, &xhci_odevd, min(l, sizeof(xhci_odevd)));
                        break;
                case UDESC_OTHER_SPEED_CONFIGURATION:
                case UDESC_CONFIG:
@@ -2113,19 +2113,19 @@
                                goto ret;
                        }
                        totlen = l = min(len, USB_CONFIG_DESCRIPTOR_SIZE);
-                       memcpy(buf, &xhci_confd, l);
+                       memcpy(buf, &xhci_confd, min(l, sizeof(xhci_confd)));
                        ((usb_config_descriptor_t *)buf)->bDescriptorType =
                            value >> 8;
                        buf = (char *)buf + l;
                        len -= l;
                        l = min(len, USB_INTERFACE_DESCRIPTOR_SIZE);
                        totlen += l;
-                       memcpy(buf, &xhci_ifcd, l);
+                       memcpy(buf, &xhci_ifcd, min(l, sizeof(xhci_ifcd)));
                        buf = (char *)buf + l;
                        len -= l;
                        l = min(len, USB_ENDPOINT_DESCRIPTOR_SIZE);
                        totlen += l;
-                       memcpy(buf, &xhci_endpd, l);
+                       memcpy(buf, &xhci_endpd, min(l, sizeof(xhci_endpd)));
                        break;
                case UDESC_STRING:
 #define sd ((usb_string_descriptor_t *)buf)