[src/netbsd-6]: src/sys/dev/usb Pull up following revision(s) (requested by c...

[riz <riz%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e1e715e28d5d
branches:  netbsd-6
changeset: 774056:e1e715e28d5d
user:      riz <riz%NetBSD.org@localhost>
date:      Mon May 07 16:25:42 2012 +0000

description:
Pull up following revision(s) (requested by christos in ticket #216):
        sys/dev/usb/ubt.c: revision 1.47
PR/46338: Nat Sloss: Prevent ubt synchronization loss from overwriting memory.

diffstat:

 sys/dev/usb/ubt.c |  23 +++++++++++++++--------
 1 files changed, 15 insertions(+), 8 deletions(-)

diffs (51 lines):

diff -r 792cff4b6c92 -r e1e715e28d5d sys/dev/usb/ubt.c
--- a/sys/dev/usb/ubt.c Mon May 07 16:24:07 2012 +0000
+++ b/sys/dev/usb/ubt.c Mon May 07 16:25:42 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ubt.c,v 1.44 2012/01/23 08:30:24 plunky Exp $  */
+/*     $NetBSD: ubt.c,v 1.44.2.1 2012/05/07 16:25:42 riz Exp $ */
 
 /*-
  * Copyright (c) 2006 Itronix Inc.
@@ -67,7 +67,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ubt.c,v 1.44 2012/01/23 08:30:24 plunky Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ubt.c,v 1.44.2.1 2012/05/07 16:25:42 riz Exp $");
 
 #include <sys/param.h>
 #include <sys/device.h>
@@ -1671,10 +1671,7 @@
                        if (got + size > want)
                                size = want - got;
 
-                       if (got + size > MHLEN)
-                               memcpy(ptr, frame, MHLEN - got);
-                       else
-                               memcpy(ptr, frame, size);
+                       memcpy(ptr, frame, size);
 
                        ptr += size;
                        got += size;
@@ -1686,8 +1683,18 @@
                                 * length to our want count. Send complete
                                 * packets up to protocol stack.
                                 */
-                               if (want == sizeof(hci_scodata_hdr_t))
-                                       want += mtod(m, hci_scodata_hdr_t *)->length;
+                               if (want == sizeof(hci_scodata_hdr_t)) {
+                                       uint32_t len =
+                                           mtod(m, hci_scodata_hdr_t *)->length;
+                                       want += len;
+                                       if (len == 0 || want > MHLEN) {
+                                               aprint_error_dev(sc->sc_dev,
+                                                   "packet too large %u "
+                                                   "(lost sync)\n", len);
+                                               sc->sc_stats.err_rx++;
+                                               return;
+                                       }
+                               }
 
                                if (got == want) {
                                        m->m_pkthdr.len = m->m_len = got;