[PATCH] usb: gadget: dfu: Fix check of transfer direction
hsimeliere.opensource at witekio.com
hsimeliere.opensource at witekio.com
Wed Nov 30 09:29:16 CET 2022
From: Hugo SIMELIERE <hsimeliere.opensource at witekio.com>
Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347
blocks DFU usb requests.
The verification of the transfer direction was done by an equality
but it is a bit mask.
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource at witekio.com>
---
drivers/usb/gadget/f_dfu.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
index 33ef62f8ba..44877df4ec 100644
--- a/drivers/usb/gadget/f_dfu.c
+++ b/drivers/usb/gadget/f_dfu.c
@@ -325,7 +325,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
switch (ctrl->bRequest) {
case USB_REQ_DFU_DNLOAD:
- if (ctrl->bRequestType == USB_DIR_OUT) {
+ if (!(ctrl->bRequestType & USB_DIR_IN)) {
if (len == 0) {
f_dfu->dfu_state = DFU_STATE_dfuERROR;
value = RET_STALL;
@@ -337,7 +337,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
}
break;
case USB_REQ_DFU_UPLOAD:
- if (ctrl->bRequestType == USB_DIR_IN) {
+ if (ctrl->bRequestType & USB_DIR_IN) {
f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
f_dfu->blk_seq_num = 0;
value = handle_upload(req, len);
@@ -436,7 +436,7 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
switch (ctrl->bRequest) {
case USB_REQ_DFU_DNLOAD:
- if (ctrl->bRequestType == USB_DIR_OUT) {
+ if (!(ctrl->bRequestType & USB_DIR_IN)) {
f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
f_dfu->blk_seq_num = w_value;
value = handle_dnload(gadget, len);
@@ -527,7 +527,7 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu,
switch (ctrl->bRequest) {
case USB_REQ_DFU_UPLOAD:
- if (ctrl->bRequestType == USB_DIR_IN) {
+ if (ctrl->bRequestType & USB_DIR_IN) {
/* state transition if less data then requested */
f_dfu->blk_seq_num = w_value;
value = handle_upload(req, len);
--
2.25.1
More information about the U-Boot
mailing list