Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-9]: src/sys/dev/hid Pull up following revision(s) (requested by m...
details: https://anonhg.NetBSD.org/src/rev/e0ed601fb8ac
branches: netbsd-9
changeset: 466931:e0ed601fb8ac
user: martin <martin%NetBSD.org@localhost>
date: Sun Jan 05 09:53:18 2020 +0000
description:
Pull up following revision(s) (requested by maxv in ticket #605):
sys/dev/hid/hid.c: revision 1.4
Fix small read overflows when parsing HID tables. Noticed by kASan the
other day while I was playing with vHCI.
diffstat:
sys/dev/hid/hid.c | 24 +++++++++++++++---------
1 files changed, 15 insertions(+), 9 deletions(-)
diffs (59 lines):
diff -r 0a764fc08089 -r e0ed601fb8ac sys/dev/hid/hid.c
--- a/sys/dev/hid/hid.c Sun Jan 05 09:51:45 2020 +0000
+++ b/sys/dev/hid/hid.c Sun Jan 05 09:53:18 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: hid.c,v 1.3 2018/11/15 23:01:45 jakllsch Exp $ */
+/* $NetBSD: hid.c,v 1.3.4.1 2020/01/05 09:53:18 martin Exp $ */
/* $FreeBSD: src/sys/dev/usb/hid.c,v 1.11 1999/11/17 22:33:39 n_hibma Exp $ */
/*
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: hid.c,v 1.3 2018/11/15 23:01:45 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: hid.c,v 1.3.4.1 2020/01/05 09:53:18 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_usb.h"
@@ -149,27 +149,33 @@
}
for (;;) {
p = s->p;
- if (p >= s->end)
+
+ if (p + 1 > s->end)
return 0;
+ bSize = *p++;
- bSize = *p++;
if (bSize == 0xfe) {
/* long item */
+ if (p + 3 > s->end)
+ return 0;
bSize = *p++;
bSize |= *p++ << 8;
bTag = *p++;
- data = p;
- p += bSize;
bType = 0xff; /* XXX what should it be */
} else {
/* short item */
bTag = bSize >> 4;
bType = (bSize >> 2) & 3;
bSize &= 3;
- if (bSize == 3) bSize = 4;
- data = p;
- p += bSize;
+ if (bSize == 3)
+ bSize = 4;
}
+
+ data = p;
+ if (p + bSize > s->end)
+ return 0;
+ p += bSize;
+
s->p = p;
switch(bSize) {
case 0:
Home |
Main Index |
Thread Index |
Old Index