[PATCH] usb: gadget: dfu: Fix check of transfer direction

offougajoris at gmail.com offougajoris at gmail.com
Sun Dec 4 20:30:51 CET 2022 

Tested on Warp7 , thanks 

Tested-by: Joris Offouga <offougajoris at gmail.com>

> Le 30 nov. 2022 à 19:55, hsimeliere.opensource at witekio.com a écrit :
> 
> From: Hugo SIMELIERE <hsimeliere.opensource at witekio.com>
> 
> Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347
> blocks DFU usb requests.
> The verification of the transfer direction was done by an equality
> but it is a bit mask.
> 
> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource at witekio.com>
> ---
> drivers/usb/gadget/f_dfu.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
> index 33ef62f8ba..44877df4ec 100644
> --- a/drivers/usb/gadget/f_dfu.c
> +++ b/drivers/usb/gadget/f_dfu.c
> @@ -325,7 +325,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
> 
>    switch (ctrl->bRequest) {
>    case USB_REQ_DFU_DNLOAD:
> -        if (ctrl->bRequestType == USB_DIR_OUT) {
> +        if (!(ctrl->bRequestType & USB_DIR_IN)) {
>            if (len == 0) {
>                f_dfu->dfu_state = DFU_STATE_dfuERROR;
>                value = RET_STALL;
> @@ -337,7 +337,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
>        }
>        break;
>    case USB_REQ_DFU_UPLOAD:
> -        if (ctrl->bRequestType == USB_DIR_IN) {
> +        if (ctrl->bRequestType & USB_DIR_IN) {
>            f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
>            f_dfu->blk_seq_num = 0;
>            value = handle_upload(req, len);
> @@ -436,7 +436,7 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
> 
>    switch (ctrl->bRequest) {
>    case USB_REQ_DFU_DNLOAD:
> -        if (ctrl->bRequestType == USB_DIR_OUT) {
> +        if (!(ctrl->bRequestType & USB_DIR_IN)) {
>            f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
>            f_dfu->blk_seq_num = w_value;
>            value = handle_dnload(gadget, len);
> @@ -527,7 +527,7 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu,
> 
>    switch (ctrl->bRequest) {
>    case USB_REQ_DFU_UPLOAD:
> -        if (ctrl->bRequestType == USB_DIR_IN) {
> +        if (ctrl->bRequestType & USB_DIR_IN) {
>            /* state transition if less data then requested */
>            f_dfu->blk_seq_num = w_value;
>            value = handle_upload(req, len);
> -- 
> 2.25.1
>

More information about the U-Boot mailing list