Module Name: src Committed By: christos Date: Tue Apr 24 20:04:50 UTC 2012
Modified Files: src/sys/dev/usb: ubt.c Log Message: PR/46338: Nat Sloss: Prevent ubt synchronization loss from overwriting memory. To generate a diff of this commit: cvs rdiff -u -r1.46 -r1.47 src/sys/dev/usb/ubt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/dev/usb/ubt.c diff -u src/sys/dev/usb/ubt.c:1.46 src/sys/dev/usb/ubt.c:1.47 --- src/sys/dev/usb/ubt.c:1.46 Thu Apr 5 12:31:53 2012 +++ src/sys/dev/usb/ubt.c Tue Apr 24 16:04:49 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: ubt.c,v 1.46 2012/04/05 16:31:53 plunky Exp $ */ +/* $NetBSD: ubt.c,v 1.47 2012/04/24 20:04:49 christos Exp $ */ /*- * Copyright (c) 2006 Itronix Inc. @@ -67,7 +67,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ubt.c,v 1.46 2012/04/05 16:31:53 plunky Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ubt.c,v 1.47 2012/04/24 20:04:49 christos Exp $"); #include <sys/param.h> #include <sys/device.h> @@ -1672,10 +1672,7 @@ ubt_recv_sco_complete(usbd_xfer_handle x if (got + size > want) size = want - got; - if (got + size > MHLEN) - memcpy(ptr, frame, MHLEN - got); - else - memcpy(ptr, frame, size); + memcpy(ptr, frame, size); ptr += size; got += size; @@ -1687,8 +1684,18 @@ ubt_recv_sco_complete(usbd_xfer_handle x * length to our want count. Send complete * packets up to protocol stack. */ - if (want == sizeof(hci_scodata_hdr_t)) - want += mtod(m, hci_scodata_hdr_t *)->length; + if (want == sizeof(hci_scodata_hdr_t)) { + uint32_t len = + mtod(m, hci_scodata_hdr_t *)->length; + want += len; + if (len == 0 || want > MHLEN) { + aprint_error_dev(sc->sc_dev, + "packet too large %u " + "(lost sync)\n", len); + sc->sc_stats.err_rx++; + return; + } + } if (got == want) { m->m_pkthdr.len = m->m_len = got;