Re: [PATCH] USB Storage: add support for Maxtor One-Touch button

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

An interesting catch.

The test on line 249 should probably be (maxp > ONETOUCH_PKT_LEN ?
ONETOUCH_PKT_LEN : maxp) -- in other words, limit the interrupt
transfer to the smaller of 2 or max packet size for the endpoint.
There is a similar (correctly done) test in usb_stor_intr_transfer in
transport.c

Care to submit a patch to Greg?

Matt

On Wed, Feb 27, 2013 at 4:33 AM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> Hello Matthew Dharm,
>
> This is an old warning but it looks like it might be valid.
>
> The patch 34008dbfe8c0: "[PATCH] USB Storage: add support for Maxtor
> One-Touch button" from Jul 28, 2005, leads to the following Smatch
> warning:
> "drivers/usb/storage/onetouch.c:248 onetouch_connect_input()
>          error: usb_fill_int_urb() 'onetouch->data' too small (2 vs 9)"
>
> [ This requires some database configuration to get this warning ].
>
>
> drivers/usb/storage/onetouch.c
>    197          maxp = usb_maxpacket(udev, pipe, usb_pipeout(pipe));
>                 ^^^^
> maxp depends on the end point.
>
>    198
>    199          onetouch = kzalloc(sizeof(struct usb_onetouch), GFP_KERNEL);
>    200          input_dev = input_allocate_device();
>    201          if (!onetouch || !input_dev)
>    202                  goto fail1;
>    203
>    204          onetouch->data = usb_alloc_coherent(udev, ONETOUCH_PKT_LEN,
>                 ^^^^^^^^^^^^^^                            ^^^^^^^^^^^^^^^^
> ONETOUCH_PKT_LEN is 0x02 so we are ->data is 2 bytes.
>
>    205                                              GFP_KERNEL, &onetouch->data_dma);
>    206          if (!onetouch->data)
>    207                  goto fail1;
>    208
>
>         [ snip ].
>
>    245          input_dev->open = usb_onetouch_open;
>    246          input_dev->close = usb_onetouch_close;
>    247
>    248          usb_fill_int_urb(onetouch->irq, udev, pipe, onetouch->data,
>    249                           (maxp > 8 ? 8 : maxp),
>                                   ^^^^^^^^^^^^^^^^^^^
> If we use 8 as the transfer size and ->data is only 2 bytes then it
> could corrupt memory.  (Smatch incorrectly thinks this parameter can
> be 9, but even 8 would be too high).
>
>    250                           usb_onetouch_irq, onetouch, endpoint->bInterval);
>    251          onetouch->irq->transfer_dma = onetouch->data_dma;
>    252          onetouch->irq->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
>    253
>
> regards,
> dan carpenter
>



--
Matthew Dharm
Maintainer, USB Mass Storage driver for Linux
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux