CVS commit: src/sys/dev/usb

Wed, 13 Nov 2013 13:37:26 -0800 

Module Name:    src
Committed By:   christos
Date:           Wed Nov 13 21:36:57 UTC 2013

Modified Files:
        src/sys/dev/usb: xhci.c

Log Message:
CID 1125827: Avoid buffer overrun (read past end of struct)


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/sys/dev/usb/xhci.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/dev/usb/xhci.c
diff -u src/sys/dev/usb/xhci.c:1.8 src/sys/dev/usb/xhci.c:1.9
--- src/sys/dev/usb/xhci.c:1.8	Sat Nov  9 22:38:58 2013
+++ src/sys/dev/usb/xhci.c	Wed Nov 13 16:36:57 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: xhci.c,v 1.8 2013/11/10 03:38:58 mrg Exp $	*/
+/*	$NetBSD: xhci.c,v 1.9 2013/11/13 21:36:57 christos Exp $	*/
 
 /*
  * Copyright (c) 2013 Jonathan A. Kollasch
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.8 2013/11/10 03:38:58 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.9 2013/11/13 21:36:57 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -2098,13 +2098,13 @@ xhci_root_ctrl_start(usbd_xfer_handle xf
 				goto ret;
 			}
 			totlen = l = min(len, USB_DEVICE_DESCRIPTOR_SIZE);
-			memcpy(buf, &xhci_devd, l);
+			memcpy(buf, &xhci_devd, min(l, sizeof(xhci_devd)));
 			break;
 		case UDESC_DEVICE_QUALIFIER:
 			if ((value & 0xff) != 0) {
 			}
 			totlen = l = min(len, USB_DEVICE_DESCRIPTOR_SIZE);
-			memcpy(buf, &xhci_odevd, l);
+			memcpy(buf, &xhci_odevd, min(l, sizeof(xhci_odevd)));
 			break;
 		case UDESC_OTHER_SPEED_CONFIGURATION:
 		case UDESC_CONFIG:
@@ -2113,19 +2113,19 @@ xhci_root_ctrl_start(usbd_xfer_handle xf
 				goto ret;
 			}
 			totlen = l = min(len, USB_CONFIG_DESCRIPTOR_SIZE);
-			memcpy(buf, &xhci_confd, l);
+			memcpy(buf, &xhci_confd, min(l, sizeof(xhci_confd)));
 			((usb_config_descriptor_t *)buf)->bDescriptorType =
 			    value >> 8;
 			buf = (char *)buf + l;
 			len -= l;
 			l = min(len, USB_INTERFACE_DESCRIPTOR_SIZE);
 			totlen += l;
-			memcpy(buf, &xhci_ifcd, l);
+			memcpy(buf, &xhci_ifcd, min(l, sizeof(xhci_ifcd)));
 			buf = (char *)buf + l;
 			len -= l;
 			l = min(len, USB_ENDPOINT_DESCRIPTOR_SIZE);
 			totlen += l;
-			memcpy(buf, &xhci_endpd, l);
+			memcpy(buf, &xhci_endpd, min(l, sizeof(xhci_endpd)));
 			break;
 		case UDESC_STRING:
 #define sd ((usb_string_descriptor_t *)buf)

Reply via email to