[src/netbsd-8]: src/sys/dev/usb Pull up following revision(s) (requested by s...

[martin <martin%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e7da8ef6936c
branches:  netbsd-8
changeset: 434429:e7da8ef6936c
user:      martin <martin%NetBSD.org@localhost>
date:      Thu Nov 23 13:16:21 2017 +0000

description:
Pull up following revision(s) (requested by skrll in ticket #383):
        sys/dev/usb/if_urtwn.c: revision 1.55
PR/52702 Malicious USB devices attaching as urtwn(4) can corrupt kernel memory
Patch from PR slighly updated by me

diffstat:

 sys/dev/usb/if_urtwn.c |  34 ++++++++++++++++++++--------------
 1 files changed, 20 insertions(+), 14 deletions(-)

diffs (72 lines):

diff -r 020717943659 -r e7da8ef6936c sys/dev/usb/if_urtwn.c
--- a/sys/dev/usb/if_urtwn.c    Thu Nov 23 11:42:58 2017 +0000
+++ b/sys/dev/usb/if_urtwn.c    Thu Nov 23 13:16:21 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_urtwn.c,v 1.53 2017/05/03 15:34:05 jnemeth Exp $    */
+/*     $NetBSD: if_urtwn.c,v 1.53.2.1 2017/11/23 13:16:21 martin Exp $ */
 /*     $OpenBSD: if_urtwn.c,v 1.42 2015/02/10 23:25:46 mpi Exp $       */
 
 /*-
@@ -25,7 +25,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_urtwn.c,v 1.53 2017/05/03 15:34:05 jnemeth Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_urtwn.c,v 1.53.2.1 2017/11/23 13:16:21 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -589,8 +589,8 @@
 urtwn_open_pipes(struct urtwn_softc *sc)
 {
        /* Bulk-out endpoints addresses (from highest to lowest prio). */
-       static uint8_t epaddr[3];
-       static uint8_t rxepaddr[3];
+       static uint8_t epaddr[R92C_MAX_EPOUT];
+       static uint8_t rxepaddr[R92C_MAX_EPIN];
        usb_interface_descriptor_t *id;
        usb_endpoint_descriptor_t *ed;
        size_t i, ntx = 0, nrx = 0;
@@ -602,26 +602,32 @@
        id = usbd_get_interface_descriptor(sc->sc_iface);
        for (i = 0; i < id->bNumEndpoints; i++) {
                ed = usbd_interface2endpoint_descriptor(sc->sc_iface, i);
-               if (ed != NULL &&
-                   UE_GET_XFERTYPE(ed->bmAttributes) == UE_BULK &&
-                   UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_OUT) {
-                       epaddr[ntx] = ed->bEndpointAddress;
+               if (ed == NULL || UE_GET_XFERTYPE(ed->bmAttributes) != UE_BULK) {
+                       continue;
+               }
+               if (UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_OUT) {
+                       if (ntx < sizeof(epaddr))
+                               epaddr[ntx] = ed->bEndpointAddress;
                        ntx++;
                }
-               if (ed != NULL &&
-                   UE_GET_XFERTYPE(ed->bmAttributes) == UE_BULK &&
-                   UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_IN) {
-                       rxepaddr[nrx] = ed->bEndpointAddress;
+               if (UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_IN) {
+                       if (nrx < sizeof(rxepaddr))
+                               rxepaddr[nrx] = ed->bEndpointAddress;
                        nrx++;
                }
        }
-       DPRINTFN(DBG_INIT, ("%s: %s: found %zd bulk-out pipes\n",
-           device_xname(sc->sc_dev), __func__, ntx));
+       if (nrx == 0 || nrx > R92C_MAX_EPIN) {
+               aprint_error_dev(sc->sc_dev,
+                   "%zd: invalid number of Rx bulk pipes\n", nrx);
+               return EIO;
+       }
        if (ntx == 0 || ntx > R92C_MAX_EPOUT) {
                aprint_error_dev(sc->sc_dev,
                    "%zd: invalid number of Tx bulk pipes\n", ntx);
                return EIO;
        }
+       DPRINTFN(DBG_INIT, ("%s: %s: found %zd/%zd bulk-in/out pipes\n",
+           device_xname(sc->sc_dev), __func__, nrx, ntx));
        sc->rx_npipe = nrx;
        sc->tx_npipe = ntx;