[U-Boot] [PATCH] usb: fallback safely when a configuration descriptor is too large

Wed Jul 25 09:46:38 CEST 2012

Hi Vincent,

On Tue, Jul 24, 2012 at 6:12 PM, Vincent Palatin <vpalatin at chromium.org> wrote:
> When a USB configuration descriptor was larger than our USB buffer
> (512 bytes), we were skipping the full descriptor reading but then we
> were still parsing and using it, triggering memory corruptions.
> Now in that case, it just skips this device enumeration and displays the
> appropriate message to the user, so he can fix the buffer if he wants.
>
> This bug was triggered by some UVC webcams which have very large
> configuration descriptors (e.g. a couple of kB) describing all their
> supported video encodings.
>
> Signed-off-by: Vincent Palatin <vpalatin at chromium.org>

Acked-by: Simon Glass <sjg at chromium.org>

> ---
>  common/usb.c |   12 +++++++++---
>  1 files changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/common/usb.c b/common/usb.c
> index 63a11c8..cfa1ad7 100644
> --- a/common/usb.c
> +++ b/common/usb.c
> @@ -485,8 +485,8 @@ int usb_get_configuration_no(struct usb_device *dev,
>         tmp = le16_to_cpu(config->wTotalLength);
>
>         if (tmp > USB_BUFSIZ) {
> -               USB_PRINTF("usb_get_configuration_no: failed to get " \
> -                          "descriptor - too long: %d\n", tmp);
> +               printf("usb_get_configuration_no: failed to get " \
> +                      "descriptor - too long: %d\n", tmp);

Should this (and the one below) be USB_PRINTF() instead?

>                 return -1;
>         }
>
> @@ -921,7 +921,13 @@ int usb_new_device(struct usb_device *dev)
>         le16_to_cpus(&dev->descriptor.idProduct);
>         le16_to_cpus(&dev->descriptor.bcdDevice);
>         /* only support for one config for now */
> -       usb_get_configuration_no(dev, &tmpbuf[0], 0);
> +       err = usb_get_configuration_no(dev, &tmpbuf[0], 0);
> +       if (err < 0) {
> +               printf("usb_new_device: Cannot read configuration, " \
> +                      "skipping device %04x:%04x\n",
> +                      dev->descriptor.idVendor, dev->descriptor.idProduct);
> +               return -1;
> +       }
>         usb_parse_config(dev, &tmpbuf[0], 0);
>         usb_set_maxpacket(dev);
>         /* we set the default configuration here */
> --
> 1.7.7.3
>

Regards,
Simon