Commit 5d6ae4f0 authored by Chris Dickens's avatar Chris Dickens Committed by Felipe Balbi

usb: gadget: composite: fix incorrect handling of OS desc requests

When handling an OS descriptor request, one of the first operations is
to zero out the request buffer using the wLength from the setup packet.
There is no bounds checking, so a wLength > 4096 would clobber memory
adjacent to the request buffer. Fix this by taking the min of wLength
and the request buffer length prior to the memset. While at it, define
the buffer length in a header file so that magic numbers don't appear
throughout the code.

When returning data to the host, the data length should be the min of
the wLength and the valid data we have to return. Currently we are
returning wLength, thus requests for a wLength greater than the amount
of data in the OS descriptor buffer would return invalid (albeit zero'd)
data following the valid descriptor data. Fix this by counting the
number of bytes when constructing the data and using this when
determining the length of the request.
Signed-off-by: default avatarChris Dickens <christopher.a.dickens@gmail.com>
Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
parent f3768997
...@@ -1422,7 +1422,7 @@ static int count_ext_compat(struct usb_configuration *c) ...@@ -1422,7 +1422,7 @@ static int count_ext_compat(struct usb_configuration *c)
return res; return res;
} }
static void fill_ext_compat(struct usb_configuration *c, u8 *buf) static int fill_ext_compat(struct usb_configuration *c, u8 *buf)
{ {
int i, count; int i, count;
...@@ -1449,10 +1449,12 @@ static void fill_ext_compat(struct usb_configuration *c, u8 *buf) ...@@ -1449,10 +1449,12 @@ static void fill_ext_compat(struct usb_configuration *c, u8 *buf)
buf += 23; buf += 23;
} }
count += 24; count += 24;
if (count >= 4096) if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ)
return; return count;
} }
} }
return count;
} }
static int count_ext_prop(struct usb_configuration *c, int interface) static int count_ext_prop(struct usb_configuration *c, int interface)
...@@ -1497,25 +1499,20 @@ static int fill_ext_prop(struct usb_configuration *c, int interface, u8 *buf) ...@@ -1497,25 +1499,20 @@ static int fill_ext_prop(struct usb_configuration *c, int interface, u8 *buf)
struct usb_os_desc *d; struct usb_os_desc *d;
struct usb_os_desc_ext_prop *ext_prop; struct usb_os_desc_ext_prop *ext_prop;
int j, count, n, ret; int j, count, n, ret;
u8 *start = buf;
f = c->interface[interface]; f = c->interface[interface];
count = 10; /* header length */
for (j = 0; j < f->os_desc_n; ++j) { for (j = 0; j < f->os_desc_n; ++j) {
if (interface != f->os_desc_table[j].if_id) if (interface != f->os_desc_table[j].if_id)
continue; continue;
d = f->os_desc_table[j].os_desc; d = f->os_desc_table[j].os_desc;
if (d) if (d)
list_for_each_entry(ext_prop, &d->ext_prop, entry) { list_for_each_entry(ext_prop, &d->ext_prop, entry) {
/* 4kB minus header length */ n = ext_prop->data_len +
n = buf - start;
if (n >= 4086)
return 0;
count = ext_prop->data_len +
ext_prop->name_len + 14; ext_prop->name_len + 14;
if (count > 4086 - n) if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ)
return -EINVAL; return count;
usb_ext_prop_put_size(buf, count); usb_ext_prop_put_size(buf, n);
usb_ext_prop_put_type(buf, ext_prop->type); usb_ext_prop_put_type(buf, ext_prop->type);
ret = usb_ext_prop_put_name(buf, ext_prop->name, ret = usb_ext_prop_put_name(buf, ext_prop->name,
ext_prop->name_len); ext_prop->name_len);
...@@ -1541,11 +1538,12 @@ static int fill_ext_prop(struct usb_configuration *c, int interface, u8 *buf) ...@@ -1541,11 +1538,12 @@ static int fill_ext_prop(struct usb_configuration *c, int interface, u8 *buf)
default: default:
return -EINVAL; return -EINVAL;
} }
buf += count; buf += n;
count += n;
} }
} }
return 0; return count;
} }
/* /*
...@@ -1827,6 +1825,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) ...@@ -1827,6 +1825,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
req->complete = composite_setup_complete; req->complete = composite_setup_complete;
buf = req->buf; buf = req->buf;
os_desc_cfg = cdev->os_desc_config; os_desc_cfg = cdev->os_desc_config;
w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ);
memset(buf, 0, w_length); memset(buf, 0, w_length);
buf[5] = 0x01; buf[5] = 0x01;
switch (ctrl->bRequestType & USB_RECIP_MASK) { switch (ctrl->bRequestType & USB_RECIP_MASK) {
...@@ -1850,8 +1849,8 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) ...@@ -1850,8 +1849,8 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
count += 16; /* header */ count += 16; /* header */
put_unaligned_le32(count, buf); put_unaligned_le32(count, buf);
buf += 16; buf += 16;
fill_ext_compat(os_desc_cfg, buf); value = fill_ext_compat(os_desc_cfg, buf);
value = w_length; value = min_t(u16, w_length, value);
} }
break; break;
case USB_RECIP_INTERFACE: case USB_RECIP_INTERFACE:
...@@ -1880,8 +1879,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) ...@@ -1880,8 +1879,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
interface, buf); interface, buf);
if (value < 0) if (value < 0)
return value; return value;
value = min_t(u16, w_length, value);
value = w_length;
} }
break; break;
} }
...@@ -2156,8 +2154,8 @@ int composite_os_desc_req_prepare(struct usb_composite_dev *cdev, ...@@ -2156,8 +2154,8 @@ int composite_os_desc_req_prepare(struct usb_composite_dev *cdev,
goto end; goto end;
} }
/* OS feature descriptor length <= 4kB */ cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ,
cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL); GFP_KERNEL);
if (!cdev->os_desc_req->buf) { if (!cdev->os_desc_req->buf) {
ret = -ENOMEM; ret = -ENOMEM;
usb_ep_free_request(ep0, cdev->os_desc_req); usb_ep_free_request(ep0, cdev->os_desc_req);
......
...@@ -54,6 +54,9 @@ ...@@ -54,6 +54,9 @@
/* big enough to hold our biggest descriptor */ /* big enough to hold our biggest descriptor */
#define USB_COMP_EP0_BUFSIZ 1024 #define USB_COMP_EP0_BUFSIZ 1024
/* OS feature descriptor length <= 4kB */
#define USB_COMP_EP0_OS_DESC_BUFSIZ 4096
#define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1) #define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1)
struct usb_configuration; struct usb_configuration;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment