Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7]: src/sys/dev/usb Pull up following revision(s) (requested by k...
details: https://anonhg.NetBSD.org/src/rev/9f3e43b211ee
branches: netbsd-7
changeset: 800383:9f3e43b211ee
user: snj <snj%NetBSD.org@localhost>
date: Wed Jan 03 21:18:03 2018 +0000
description:
Pull up following revision(s) (requested by khorben in ticket #1541):
sys/dev/usb/usb_subr.c: revision 1.222
Be more defensive towards malicious USB devices
This avoids potential panics due to 0-sized memory allocation attempts,
which could be triggered by malicious USB devices.
Tested on NetBSD/amd64 with a Sony Xperia X (SailfishOS).
Based on an initial patch by Nick Hudson <skrll%NetBSD.org@localhost>, thanks!
Fixes PR kern/52383.
diffstat:
sys/dev/usb/usb_subr.c | 18 ++++++++++++++++--
1 files changed, 16 insertions(+), 2 deletions(-)
diffs (53 lines):
diff -r 35d4c1d47954 -r 9f3e43b211ee sys/dev/usb/usb_subr.c
--- a/sys/dev/usb/usb_subr.c Wed Jan 03 21:11:40 2018 +0000
+++ b/sys/dev/usb/usb_subr.c Wed Jan 03 21:18:03 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: usb_subr.c,v 1.196.4.3 2017/04/05 19:54:20 snj Exp $ */
+/* $NetBSD: usb_subr.c,v 1.196.4.4 2018/01/03 21:18:03 snj Exp $ */
/* $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $ */
/*
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.196.4.3 2017/04/05 19:54:20 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.196.4.4 2018/01/03 21:18:03 snj Exp $");
#ifdef _KERNEL_OPT
#include "opt_compat_netbsd.h"
@@ -644,6 +644,10 @@
return err;
}
len = UGETW(cd.wTotalLength);
+ if (len == 0) {
+ DPRINTF("empty short descriptor", 0, 0, 0, 0);
+ return USBD_INVAL;
+ }
cdp = kmem_alloc(len, KM_SLEEP);
if (cdp == NULL)
return USBD_NOMEM;
@@ -672,6 +676,11 @@
err = usbd_get_bos_desc(dev, index, &bd);
if (!err) {
int blen = UGETW(bd.wTotalLength);
+ if (blen == 0) {
+ DPRINTF("empty bos descriptor", 0, 0, 0, 0);
+ err = USBD_INVAL;
+ goto bad;
+ }
bdp = kmem_alloc(blen, KM_SLEEP);
if (bdp == NULL) {
err = USBD_NOMEM;
@@ -765,6 +774,11 @@
/* Allocate and fill interface data. */
nifc = cdp->bNumInterface;
+ if (nifc == 0) {
+ DPRINTF("no interfaces", 0, 0, 0, 0);
+ err = USBD_INVAL;
+ goto bad;
+ }
dev->ud_ifaces = kmem_alloc(nifc * sizeof(struct usbd_interface),
KM_SLEEP);
if (dev->ud_ifaces == NULL) {
Home |
Main Index |
Thread Index |
Old Index