Module Name: src
Committed By: christos
Date: Tue Apr 24 20:04:50 UTC 2012
Modified Files:
src/sys/dev/usb: ubt.c
Log Message:
PR/46338: Nat Sloss: Prevent ubt synchronization loss from overwriting memory.
To generate a diff of this commit:
cvs rdiff -u -r1.46 -r1.47 src/sys/dev/usb/ubt.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/usb/ubt.c
diff -u src/sys/dev/usb/ubt.c:1.46 src/sys/dev/usb/ubt.c:1.47
--- src/sys/dev/usb/ubt.c:1.46 Thu Apr 5 12:31:53 2012
+++ src/sys/dev/usb/ubt.c Tue Apr 24 16:04:49 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: ubt.c,v 1.46 2012/04/05 16:31:53 plunky Exp $ */
+/* $NetBSD: ubt.c,v 1.47 2012/04/24 20:04:49 christos Exp $ */
/*-
* Copyright (c) 2006 Itronix Inc.
@@ -67,7 +67,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ubt.c,v 1.46 2012/04/05 16:31:53 plunky Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ubt.c,v 1.47 2012/04/24 20:04:49 christos Exp $");
#include <sys/param.h>
#include <sys/device.h>
@@ -1672,10 +1672,7 @@ ubt_recv_sco_complete(usbd_xfer_handle x
if (got + size > want)
size = want - got;
- if (got + size > MHLEN)
- memcpy(ptr, frame, MHLEN - got);
- else
- memcpy(ptr, frame, size);
+ memcpy(ptr, frame, size);
ptr += size;
got += size;
@@ -1687,8 +1684,18 @@ ubt_recv_sco_complete(usbd_xfer_handle x
* length to our want count. Send complete
* packets up to protocol stack.
*/
- if (want == sizeof(hci_scodata_hdr_t))
- want += mtod(m, hci_scodata_hdr_t *)->length;
+ if (want == sizeof(hci_scodata_hdr_t)) {
+ uint32_t len =
+ mtod(m, hci_scodata_hdr_t *)->length;
+ want += len;
+ if (len == 0 || want > MHLEN) {
+ aprint_error_dev(sc->sc_dev,
+ "packet too large %u "
+ "(lost sync)\n", len);
+ sc->sc_stats.err_rx++;
+ return;
+ }
+ }
if (got == want) {
m->m_pkthdr.len = m->m_len = got;
