On 05/02/14(Wed) 00:39, Thomas Pfaff wrote:
> [...]
> > This diff simply remove the possibility to "unconfigure" a device by
> > passing the magic value to usbd_set_config_no(). There's no code in
> > our three that does that so it should be enough for the moment.
>
> Configuration 0 should be the "unconfigured state" though according to
> the libusb documentation some devices (not following the specification)
> actually have a configuration 0. Not sure if that'd be an issue here.
In this particular case it wouldn't be an issue since such device would
have a valid (non negative) index for their configuration. But I'm
quite sure such device would generate a lot of other problems (such as
leaks, parsing errors, etc).
Generally our stack do a poor job at validating/parsing what the
hardware is sending. It would be certainly fun to plug malicious USB
devices and watch... :)
> Anyway, the patch below fixes the issue. Thanks again.
It's in now, thanks for testing.
>
> > Index: usb_subr.c
> > ===================================================================
> > RCS file: /cvs/src/sys/dev/usb/usb_subr.c,v
> > retrieving revision 1.96
> > diff -u -p -r1.96 usb_subr.c
> > --- usb_subr.c 15 Jan 2014 11:10:40 -0000 1.96
> > +++ usb_subr.c 2 Feb 2014 17:05:43 -0000
> > @@ -604,9 +604,6 @@ usbd_set_config_no(struct usbd_device *d
> > usb_config_descriptor_t cd;
> > usbd_status err;
> >
> > - if (no == USB_UNCONFIG_NO)
> > - return (usbd_set_config_index(dev, USB_UNCONFIG_INDEX, msg));
> > -
> > DPRINTFN(5,("usbd_set_config_no: %d\n", no));
> > /* Figure out what config index to use. */
> > for (index = 0; index < dev->ddesc.bNumConfigurations; index++) {
