patrick/zephyr
1
0
Fork 0
Code Issues Pull requests Actions 8 Packages Projects Releases Wiki Activity

drivers: usb_dc_native_posix: Check data length before copy

Browse source 
Fail requests if the data does not fit inside buffer.

This commit only adds missing sanity checks but the native posix driver
remains broken at the design level. The amount of work to fix the native
posix driver in legacy USB stack is deemed too great to be worth it.

Coverity-CID: 195841, GitHub issue #58564
Coverity-CID: 240244, GitHub issue #58570

Signed-off-by: Tomasz Moń <tomasz.mon@nordicsemi.no>
This commit is contained in:
Tomasz Moń 2023-06-07 14:43:33 +02:00 committed by Anas Nashif
parent fb408077df
commit 3b14268e41
1 changed files with 22 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
drivers/usb/device/usb_dc_native_posix.c
View file

@ -356,6 +356,10 @@ int usb_dc_ep_write(const uint8_t ep, const uint8_t *const data,
uint8_t ep_idx = USB_EP_GET_IDX(ep);
struct usb_ep_ctrl_prv *ctrl = &usbip_ctrl.in_ep_ctrl[ep_idx];
if (data_len > ARRAY_SIZE(ctrl->buf)) {
return -EINVAL;
}
memcpy(ctrl->buf, data, data_len);
ctrl->buf_len = data_len;
}
@ -525,8 +529,15 @@ int handle_usb_control(struct usbip_header *hdr)
ep_ctrl->cb(ep_idx, USB_DC_EP_SETUP);
if (ntohl(hdr->common.direction) == USBIP_DIR_OUT) {
uint32_t data_len = ntohl(hdr->u.submit.transfer_buffer_length);
/* Data OUT stage availably */
ep_ctrl->data_len = ntohl(hdr->u.submit.transfer_buffer_length);
if (data_len > ARRAY_SIZE(ep_ctrl->buf)) {
return -EIO;
}
ep_ctrl->data_len = data_len;
if (usbip_recv(ep_ctrl->buf, ep_ctrl->data_len) < 0) {
return -EIO;
}
@ -546,13 +557,22 @@ int handle_usb_data(struct usbip_header *hdr)
uint8_t ep;
if (ntohl(hdr->common.direction) == USBIP_DIR_OUT) {
uint32_t data_len;
if (ep_idx >= USBIP_OUT_EP_NUM) {
return -EINVAL;
}
ep_ctrl = &usbip_ctrl.out_ep_ctrl[ep_idx];
ep = ep_idx | USB_EP_DIR_OUT;
ep_ctrl->data_len = ntohl(hdr->u.submit.transfer_buffer_length);
data_len = ntohl(hdr->u.submit.transfer_buffer_length);
if (data_len > ARRAY_SIZE(ep_ctrl->buf)) {
return -EIO;
}
ep_ctrl->data_len = data_len;
if (usbip_recv(ep_ctrl->buf, ep_ctrl->data_len) < 0) {
return -EIO;
}