On Thu, 8 Aug 2013, Sean O. Stalley wrote:
> rh_call_control() contains a buffer, tbuf, which it uses to hold
> USB descriptors. These discriptors are eventually copied into the
> transfer_buffer in the URB. The buffer in the URB is dynamically
> defined and is always large enough to hold the amount of data it
> requests.
>
> tbuf is currently statically allocated on the stack with a size
> of 15 bytes, regardless of the size specified in the URB.
> This patch dynamically allocates tbuf, and ensures that tbuf is
> at least as big as the buffer in the URB.
>
> If an hcd attempts to write a descriptor containing more than
> 15 bytes ( such as the Standard BOS Descriptor for hubs, defined
> in the USB3.0 Spec, section 10.13.1 ) the write would overflow
> the buffer and corrupt the stack. This patch addresses this
> behavior.
>
> Signed-off-by: Sean O. Stalley <sean.stalley@xxxxxxxxx>
> @@ -494,6 +490,18 @@ static int rh_call_control (struct usb_hcd *hcd, struct urb *urb)
> if (wLength > urb->transfer_buffer_length)
> goto error;
>
> + /*
> + * tbuf should be at least as big as the
> + * USB hub descriptor.
> + */
> + tbuf_size = max_t(u16, sizeof(struct usb_hub_descriptor), wLength);
> + tbuf = kzalloc(tbuf_size, GFP_KERNEL);
> + if (!tbuf)
> + return -ENOMEM;
> +
> + bufp = tbuf;
> +
> +
> urb->actual_length = 0;
> switch (typeReq) {
>
> @@ -675,6 +683,7 @@ error:
> urb->actual_length = len;
> // always USB_DIR_IN, toward host
> memcpy (ubuf, bufp, len);
> + kfree(tbuf);
>
> /* report whether RH hardware supports remote wakeup */
> if (patch_wakeup &&
This deallocates tbuf when len > 0, but it leaks the memory when len is
0.
Alan Stern
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
