[src/trunk]: src/sys/dev/usb Fix buffer overflows: validate the lengths at at...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/b6986c3b7567
branches:  trunk
changeset: 1006063:b6986c3b7567
user:      maxv <maxv%NetBSD.org@localhost>
date:      Wed Jan 01 09:08:28 2020 +0000

description:
Fix buffer overflows: validate the lengths at attach time, given that they
are apparently not supposed to be variable. Drop sc_ilen since it is
unused.

diffstat:

 sys/dev/usb/ucycom.c |  23 +++++++++++++++++------
 1 files changed, 17 insertions(+), 6 deletions(-)

diffs (77 lines):

diff -r 6a006be90c0f -r b6986c3b7567 sys/dev/usb/ucycom.c
--- a/sys/dev/usb/ucycom.c      Wed Jan 01 09:05:03 2020 +0000
+++ b/sys/dev/usb/ucycom.c      Wed Jan 01 09:08:28 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ucycom.c,v 1.48 2019/12/01 08:27:54 maxv Exp $ */
+/*     $NetBSD: ucycom.c,v 1.49 2020/01/01 09:08:28 maxv Exp $ */
 
 /*
  * Copyright (c) 2005 The NetBSD Foundation, Inc.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ucycom.c,v 1.48 2019/12/01 08:27:54 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ucycom.c,v 1.49 2020/01/01 09:08:28 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_usb.h"
@@ -121,11 +121,15 @@
 
        struct tty              *sc_tty;
 
+       enum {
+               UCYCOM_INIT_NONE,
+               UCYCOM_INIT_INITED
+       } sc_init_state;
+
        kmutex_t sc_lock;       /* protects refcnt, others */
 
        /* uhidev parameters */
        size_t                  sc_flen; /* feature report length */
-       size_t                  sc_ilen; /* input report length */
        size_t                  sc_olen; /* output report length */
 
        uint8_t                 *sc_obuf;
@@ -219,13 +223,18 @@
        sc->sc_hdev.sc_intr = ucycom_intr;
        sc->sc_hdev.sc_parent = uha->parent;
        sc->sc_hdev.sc_report_id = uha->reportid;
+       sc->sc_init_state = UCYCOM_INIT_NONE;
 
        uhidev_get_report_desc(uha->parent, &desc, &size);
        repid = uha->reportid;
-       sc->sc_ilen = hid_report_size(desc, size, hid_input, repid);
        sc->sc_olen = hid_report_size(desc, size, hid_output, repid);
        sc->sc_flen = hid_report_size(desc, size, hid_feature, repid);
 
+       if (sc->sc_olen != 8 && sc->sc_olen != 32)
+               return;
+       if (sc->sc_flen != 5)
+               return;
+
        sc->sc_msr = sc->sc_mcr = 0;
 
        /* set up tty */
@@ -238,6 +247,8 @@
 
        /* Nothing interesting to report */
        aprint_normal("\n");
+
+       sc->sc_init_state = UCYCOM_INIT_INITED;
 }
 
 
@@ -334,10 +345,10 @@
 
        if (sc == NULL)
                return ENXIO;
-
        if (sc->sc_dying)
                return EIO;
-
+       if (sc->sc_init_state != UCYCOM_INIT_INITED)
+               return ENXIO;
        if (!device_is_active(sc->sc_hdev.sc_dev))
                return ENXIO;