[PATCH] Prevent buffer overflow on USB control endpoint
Marek Vasut
marex at denx.de
Sun Nov 20 15:43:30 CET 2022
On 11/17/22 12:50, Fabio Estevam wrote:
> [Adding Lukasz and Marek]
>
> On Thu, Nov 17, 2022 at 6:50 AM Szymon Heidrich
> <szymon.heidrich at gmail.com> wrote:
>>
>> Assure that the control endpoint buffer of size USB_BUFSIZ (4096)
>> can not be overflown during handling of USB control transfer
>> requests with wLength greater than USB_BUFSIZ.
>>
>> Signed-off-by: Szymon Heidrich <szymon.heidrich at gmail.com>
>> ---
>> drivers/usb/gadget/composite.c | 11 +++++++++++
>> 1 file changed, 11 insertions(+)
>>
>> diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
>> index 2a309e624e..cb89f6dca9 100644
>> --- a/drivers/usb/gadget/composite.c
>> +++ b/drivers/usb/gadget/composite.c
>> @@ -1019,6 +1019,17 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
>> u8 endp;
>> struct usb_configuration *c;
>>
>> + if (w_length > USB_BUFSIZ) {
>> + if (ctrl->bRequestType & USB_DIR_IN) {
>> + /* Cast away the const, we are going to overwrite on purpose. */
>> + __le16 *temp = (__le16 *)&ctrl->wLength;
>> + *temp = cpu_to_le16(USB_BUFSIZ);
>> + w_length = USB_BUFSIZ;
Won't this end up sending corrupted packets in case they are longer than
USB_BUFSIZ ?
Where do such long packets come from ?
What is the test-case ?
More information about the U-Boot
mailing list