Module Name: src Committed By: riz Date: Mon May 7 16:25:42 UTC 2012
Modified Files: src/sys/dev/usb [netbsd-6]: ubt.c Log Message: Pull up following revision(s) (requested by christos in ticket #216): sys/dev/usb/ubt.c: revision 1.47 PR/46338: Nat Sloss: Prevent ubt synchronization loss from overwriting memory. To generate a diff of this commit: cvs rdiff -u -r1.44 -r1.44.2.1 src/sys/dev/usb/ubt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/dev/usb/ubt.c diff -u src/sys/dev/usb/ubt.c:1.44 src/sys/dev/usb/ubt.c:1.44.2.1 --- src/sys/dev/usb/ubt.c:1.44 Mon Jan 23 08:30:24 2012 +++ src/sys/dev/usb/ubt.c Mon May 7 16:25:42 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: ubt.c,v 1.44 2012/01/23 08:30:24 plunky Exp $ */ +/* $NetBSD: ubt.c,v 1.44.2.1 2012/05/07 16:25:42 riz Exp $ */ /*- * Copyright (c) 2006 Itronix Inc. @@ -67,7 +67,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ubt.c,v 1.44 2012/01/23 08:30:24 plunky Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ubt.c,v 1.44.2.1 2012/05/07 16:25:42 riz Exp $"); #include <sys/param.h> #include <sys/device.h> @@ -1671,10 +1671,7 @@ ubt_recv_sco_complete(usbd_xfer_handle x if (got + size > want) size = want - got; - if (got + size > MHLEN) - memcpy(ptr, frame, MHLEN - got); - else - memcpy(ptr, frame, size); + memcpy(ptr, frame, size); ptr += size; got += size; @@ -1686,8 +1683,18 @@ ubt_recv_sco_complete(usbd_xfer_handle x * length to our want count. Send complete * packets up to protocol stack. */ - if (want == sizeof(hci_scodata_hdr_t)) - want += mtod(m, hci_scodata_hdr_t *)->length; + if (want == sizeof(hci_scodata_hdr_t)) { + uint32_t len = + mtod(m, hci_scodata_hdr_t *)->length; + want += len; + if (len == 0 || want > MHLEN) { + aprint_error_dev(sc->sc_dev, + "packet too large %u " + "(lost sync)\n", len); + sc->sc_stats.err_rx++; + return; + } + } if (got == want) { m->m_pkthdr.len = m->m_len = got;