CVS commit: [netbsd-6] src/sys/dev/usb

Mon, 07 May 2012 09:24:34 -0700 

Module Name:    src
Committed By:   riz
Date:           Mon May  7 16:25:42 UTC 2012

Modified Files:
        src/sys/dev/usb [netbsd-6]: ubt.c

Log Message:
Pull up following revision(s) (requested by christos in ticket #216):
        sys/dev/usb/ubt.c: revision 1.47
PR/46338: Nat Sloss: Prevent ubt synchronization loss from overwriting memory.


To generate a diff of this commit:
cvs rdiff -u -r1.44 -r1.44.2.1 src/sys/dev/usb/ubt.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/dev/usb/ubt.c
diff -u src/sys/dev/usb/ubt.c:1.44 src/sys/dev/usb/ubt.c:1.44.2.1
--- src/sys/dev/usb/ubt.c:1.44	Mon Jan 23 08:30:24 2012
+++ src/sys/dev/usb/ubt.c	Mon May  7 16:25:42 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: ubt.c,v 1.44 2012/01/23 08:30:24 plunky Exp $	*/
+/*	$NetBSD: ubt.c,v 1.44.2.1 2012/05/07 16:25:42 riz Exp $	*/
 
 /*-
  * Copyright (c) 2006 Itronix Inc.
@@ -67,7 +67,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ubt.c,v 1.44 2012/01/23 08:30:24 plunky Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ubt.c,v 1.44.2.1 2012/05/07 16:25:42 riz Exp $");
 
 #include <sys/param.h>
 #include <sys/device.h>
@@ -1671,10 +1671,7 @@ ubt_recv_sco_complete(usbd_xfer_handle x
 			if (got + size > want)
 				size = want - got;
 
-			if (got + size > MHLEN)
-				memcpy(ptr, frame, MHLEN - got);
-			else
-				memcpy(ptr, frame, size);
+			memcpy(ptr, frame, size);
 
 			ptr += size;
 			got += size;
@@ -1686,8 +1683,18 @@ ubt_recv_sco_complete(usbd_xfer_handle x
 				 * length to our want count. Send complete
 				 * packets up to protocol stack.
 				 */
-				if (want == sizeof(hci_scodata_hdr_t))
-					want += mtod(m, hci_scodata_hdr_t *)->length;
+				if (want == sizeof(hci_scodata_hdr_t)) {
+					uint32_t len =
+					    mtod(m, hci_scodata_hdr_t *)->length;
+					want += len;
+					if (len == 0 || want > MHLEN) {
+						aprint_error_dev(sc->sc_dev,
+						    "packet too large %u "
+						    "(lost sync)\n", len);
+						sc->sc_stats.err_rx++;
+						return;
+					}
+				}
 
 				if (got == want) {
 					m->m_pkthdr.len = m->m_len = got;

Reply via email to