[src/netbsd-7]: src/sys/dev/usb Pull up following revision(s) (requested by s...

[snj <snj%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/806cf401ef11
branches:  netbsd-7
changeset: 800373:806cf401ef11
user:      snj <snj%NetBSD.org@localhost>
date:      Wed Jan 03 20:00:23 2018 +0000

description:
Pull up following revision(s) (requested by skrll in ticket #1528):
        sys/dev/usb/if_urtwn.c: revision 1.55
PR/52702 Malicious USB devices attaching as urtwn(4) can corrupt kernel memory
Patch from PR slighly updated by me

diffstat:

 sys/dev/usb/if_urtwn.c |  34 ++++++++++++++++++++--------------
 1 files changed, 20 insertions(+), 14 deletions(-)

diffs (72 lines):

diff -r f762c6b51375 -r 806cf401ef11 sys/dev/usb/if_urtwn.c
--- a/sys/dev/usb/if_urtwn.c    Wed Jan 03 19:58:14 2018 +0000
+++ b/sys/dev/usb/if_urtwn.c    Wed Jan 03 20:00:23 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_urtwn.c,v 1.34.2.1 2017/04/05 19:54:19 snj Exp $    */
+/*     $NetBSD: if_urtwn.c,v 1.34.2.2 2018/01/03 20:00:23 snj Exp $    */
 /*     $OpenBSD: if_urtwn.c,v 1.42 2015/02/10 23:25:46 mpi Exp $       */
 
 /*-
@@ -25,7 +25,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_urtwn.c,v 1.34.2.1 2017/04/05 19:54:19 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_urtwn.c,v 1.34.2.2 2018/01/03 20:00:23 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -588,8 +588,8 @@
 urtwn_open_pipes(struct urtwn_softc *sc)
 {
        /* Bulk-out endpoints addresses (from highest to lowest prio). */
-       static uint8_t epaddr[3];
-       static uint8_t rxepaddr[3];
+       static uint8_t epaddr[R92C_MAX_EPOUT];
+       static uint8_t rxepaddr[R92C_MAX_EPIN];
        usb_interface_descriptor_t *id;
        usb_endpoint_descriptor_t *ed;
        size_t i, ntx = 0, nrx = 0;
@@ -601,26 +601,32 @@
        id = usbd_get_interface_descriptor(sc->sc_iface);
        for (i = 0; i < id->bNumEndpoints; i++) {
                ed = usbd_interface2endpoint_descriptor(sc->sc_iface, i);
-               if (ed != NULL &&
-                   UE_GET_XFERTYPE(ed->bmAttributes) == UE_BULK &&
-                   UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_OUT) {
-                       epaddr[ntx] = ed->bEndpointAddress;
+               if (ed == NULL || UE_GET_XFERTYPE(ed->bmAttributes) != UE_BULK) {
+                       continue;
+               }
+               if (UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_OUT) {
+                       if (ntx < sizeof(epaddr))
+                               epaddr[ntx] = ed->bEndpointAddress;
                        ntx++;
                }
-               if (ed != NULL &&
-                   UE_GET_XFERTYPE(ed->bmAttributes) == UE_BULK &&
-                   UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_IN) {
-                       rxepaddr[nrx] = ed->bEndpointAddress;
+               if (UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_IN) {
+                       if (nrx < sizeof(rxepaddr))
+                               rxepaddr[nrx] = ed->bEndpointAddress;
                        nrx++;
                }
        }
-       DPRINTFN(DBG_INIT, ("%s: %s: found %zd bulk-out pipes\n",
-           device_xname(sc->sc_dev), __func__, ntx));
+       if (nrx == 0 || nrx > R92C_MAX_EPIN) {
+               aprint_error_dev(sc->sc_dev,
+                   "%zd: invalid number of Rx bulk pipes\n", nrx);
+               return EIO;
+       }
        if (ntx == 0 || ntx > R92C_MAX_EPOUT) {
                aprint_error_dev(sc->sc_dev,
                    "%zd: invalid number of Tx bulk pipes\n", ntx);
                return EIO;
        }
+       DPRINTFN(DBG_INIT, ("%s: %s: found %zd/%zd bulk-in/out pipes\n",
+           device_xname(sc->sc_dev), __func__, nrx, ntx));
        sc->rx_npipe = nrx;
        sc->tx_npipe = ntx;