Commit f08adf5a authored by Greg Kroah-Hartman's avatar Greg Kroah-Hartman

USB: gadget: bRequestType is a bitfield, not a enum

Szymon rightly pointed out that the previous check for the endpoint
direction in bRequestType was not looking at only the bit involved, but
rather the whole value.  Normally this is ok, but for some request
types, bits other than bit 8 could be set and the check for the endpoint
length could not stall correctly.

Fix that up by only checking the single bit.

Fixes: 153a2d7e ("USB: gadget: detect too-big endpoint 0 requests")
Cc: Felipe Balbi <balbi@kernel.org>
Reported-by: default avatarSzymon Heidrich <szymon.heidrich@gmail.com>
Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 99ea221f
...@@ -1680,14 +1680,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) ...@@ -1680,14 +1680,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
u8 endp; u8 endp;
if (w_length > USB_COMP_EP0_BUFSIZ) { if (w_length > USB_COMP_EP0_BUFSIZ) {
if (ctrl->bRequestType == USB_DIR_OUT) { if (ctrl->bRequestType & USB_DIR_IN) {
goto done;
} else {
/* Cast away the const, we are going to overwrite on purpose. */ /* Cast away the const, we are going to overwrite on purpose. */
__le16 *temp = (__le16 *)&ctrl->wLength; __le16 *temp = (__le16 *)&ctrl->wLength;
*temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ); *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
w_length = USB_COMP_EP0_BUFSIZ; w_length = USB_COMP_EP0_BUFSIZ;
} else {
goto done;
} }
} }
......
...@@ -346,14 +346,14 @@ static int dbgp_setup(struct usb_gadget *gadget, ...@@ -346,14 +346,14 @@ static int dbgp_setup(struct usb_gadget *gadget,
u16 len = 0; u16 len = 0;
if (length > DBGP_REQ_LEN) { if (length > DBGP_REQ_LEN) {
if (ctrl->bRequestType == USB_DIR_OUT) { if (ctrl->bRequestType & USB_DIR_IN) {
return err;
} else {
/* Cast away the const, we are going to overwrite on purpose. */ /* Cast away the const, we are going to overwrite on purpose. */
__le16 *temp = (__le16 *)&ctrl->wLength; __le16 *temp = (__le16 *)&ctrl->wLength;
*temp = cpu_to_le16(DBGP_REQ_LEN); *temp = cpu_to_le16(DBGP_REQ_LEN);
length = DBGP_REQ_LEN; length = DBGP_REQ_LEN;
} else {
return err;
} }
} }
......
...@@ -1334,14 +1334,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) ...@@ -1334,14 +1334,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
u16 w_length = le16_to_cpu(ctrl->wLength); u16 w_length = le16_to_cpu(ctrl->wLength);
if (w_length > RBUF_SIZE) { if (w_length > RBUF_SIZE) {
if (ctrl->bRequestType == USB_DIR_OUT) { if (ctrl->bRequestType & USB_DIR_IN) {
return value;
} else {
/* Cast away the const, we are going to overwrite on purpose. */ /* Cast away the const, we are going to overwrite on purpose. */
__le16 *temp = (__le16 *)&ctrl->wLength; __le16 *temp = (__le16 *)&ctrl->wLength;
*temp = cpu_to_le16(RBUF_SIZE); *temp = cpu_to_le16(RBUF_SIZE);
w_length = RBUF_SIZE; w_length = RBUF_SIZE;
} else {
return value;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment