Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/dev/usb Fix buffer overflows. Also add missing mutex_exit.

details:   https://anonhg.NetBSD.org/src/rev/e76b83306247
branches:  trunk
changeset: 968027:e76b83306247
user:      maxv <maxv%NetBSD.org@localhost>
date:      Wed Jan 01 09:05:03 2020 +0000

description:
Fix buffer overflows. Also add missing mutex_exit.

diffstat:

 sys/dev/usb/uhid.c |  16 +++++++++++++---
 1 files changed, 13 insertions(+), 3 deletions(-)

diffs (66 lines):

diff -r cd41a2d60c46 -r e76b83306247 sys/dev/usb/uhid.c
--- a/sys/dev/usb/uhid.c        Wed Jan 01 09:03:00 2020 +0000
+++ b/sys/dev/usb/uhid.c        Wed Jan 01 09:05:03 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: uhid.c,v 1.110 2019/12/01 12:47:10 maxv Exp $  */
+/*     $NetBSD: uhid.c,v 1.111 2020/01/01 09:05:03 maxv Exp $  */
 
 /*
  * Copyright (c) 1998, 2004, 2008, 2012 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uhid.c,v 1.110 2019/12/01 12:47:10 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uhid.c,v 1.111 2020/01/01 09:05:03 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_compat_netbsd.h"
@@ -398,6 +398,8 @@
        if (sc->sc_state & UHID_IMMED) {
                DPRINTFN(1, ("uhidread immed\n"));
                extra = sc->sc_hdev.sc_report_id != 0;
+               if (sc->sc_isize + extra > sizeof(buffer))
+                       return ENOBUFS;
                err = uhidev_get_report(&sc->sc_hdev, UHID_INPUT_REPORT,
                                        buffer, sc->sc_isize + extra);
                if (err)
@@ -541,8 +543,10 @@
        case FIOASYNC:
                mutex_enter(proc_lock);
                if (*(int *)addr) {
-                       if (sc->sc_async != NULL)
+                       if (sc->sc_async != NULL) {
+                               mutex_exit(proc_lock);
                                return EBUSY;
+                       }
                        sc->sc_async = l->l_proc;
                        DPRINTF(("uhid_do_ioctl: FIOASYNC %p\n", l->l_proc));
                } else
@@ -589,6 +593,8 @@
        case USB_SET_IMMED:
                if (*(int *)addr) {
                        extra = sc->sc_hdev.sc_report_id != 0;
+                       if (sc->sc_isize + extra > sizeof(buffer))
+                               return ENOBUFS;
                        err = uhidev_get_report(&sc->sc_hdev, UHID_INPUT_REPORT,
                                                buffer, sc->sc_isize + extra);
                        if (err)
@@ -615,6 +621,8 @@
                        return EINVAL;
                }
                extra = sc->sc_hdev.sc_report_id != 0;
+               if (size + extra > sizeof(re->ucr_data))
+                       return ENOBUFS;
                err = uhidev_get_report(&sc->sc_hdev, re->ucr_report,
                    re->ucr_data, size + extra);
                if (extra)
@@ -638,6 +646,8 @@
                default:
                        return EINVAL;
                }
+               if (size > sizeof(re->ucr_data))
+                       return ENOBUFS;
                err = uhidev_set_report(&sc->sc_hdev, re->ucr_report,
                    re->ucr_data, size);
                if (err)
Home | Main Index | Thread Index | Old Index