kern/38112: questionable code in sys/dev/usb/usb_port.h

[fukumoto%imasy.or.jp@localhost]

>Number:         38112
>Category:       kern
>Synopsis:       questionable code in sys/dev/usb/usb_port.h
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 27 18:55:00 +0000 2008
>Originator:     FUKUMOTO Atsushi
>Release:        NetBSD 4.0_STABLE
>Organization:
>Environment:
System: NetBSD kestrel 4.0_STABLE NetBSD 4.0_STABLE (Kestrel) #15: Tue Feb 19 
03:07:05 JST 2008 
fukumoto@kestrel:/usr/src.netbsd4/sys/arch/i386/compile/Kestrel i386
Architecture: i386
Machine: i386
>Description:
        While trying to modify a USB device driver, I noticed a
        questionable code in sys/dev/usb/usb_port.h.

#define UCOMBUSCF_PORTNO                -1

        Only reference to UCOMBUSCF_PORTNO is in ucomsubmatch():

            cf->cf_loc[UCOMBUSCF_PORTNO] != UCOMBUSCF_PORTNO_DEFAULT &&
            cf->cf_loc[UCOMBUSCF_PORTNO] != uca->portno)

        which means it is accessing cf->cf_loc[-1], which looks wrong
        to me.

        The definition is imported from OpenBSD on 2000/11/10, and the
        line is changed in OpenBSD sys/dev/usb/usb_port.h rev.1.49
        (May 26 2004) to 0.  I haven't looked further but I guess
        there may be other fixes yet to be imported to NetBSD.

>How-To-Repeat:

>Fix:
Index: usb_port.h
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/usb_port.h,v
retrieving revision 1.73
diff -u -u -r1.73 usb_port.h
--- usb_port.h  16 Nov 2006 01:33:27 -0000      1.73
+++ usb_port.h  27 Feb 2008 18:38:44 -0000
@@ -229,7 +229,7 @@
 
 typedef struct proc *usb_proc_ptr;
 
-#define UCOMBUSCF_PORTNO               -1
+#define UCOMBUSCF_PORTNO               0
 #define UCOMBUSCF_PORTNO_DEFAULT       -1
 
 #define XS_STS_DONE            ITSDONE

>Unformatted: