* Patch by Laurent Mohin, 10 Feb 2004:

Fix buffer overflow in common/usb.c * Patch by Tolunay Orkun, 10 Feb 2004: Add support for Cogent CSB272 board * Code cleanup
author: wdenk <wdenk> 2004-02-23 20:48:38 +0000
committer: wdenk <wdenk> 2004-02-23 20:48:38 +0000
commit: cd0a9de68b03e5a54fd2a08f44be318e4397be01 (patch)
tree: 161762b51f26b604823009e2bcc1c7b3105c6361 /common
parent: 2d1a537d87727907bf4d888760cba4abc0b52ad3 (diff)
download: olio-uboot-2014.01-cd0a9de68b03e5a54fd2a08f44be318e4397be01.tar.xz
olio-uboot-2014.01-cd0a9de68b03e5a54fd2a08f44be318e4397be01.zip
3 files changed, 38 insertions, 20 deletions
diff --git a/common/cmd_ace.c b/common/cmd_ace.c
index ee77f1356..555fbe398 100644
--- a/common/cmd_ace.c
+++ b/common/cmd_ace.c
@@ -195,11 +195,4 @@ static unsigned long systemace_read(int dev,
 
       return blkcnt;
 }
-
-
 #endif
-
-/*
- * $Log: $
- */
-
diff --git a/common/cmd_itest.c b/common/cmd_itest.c
index 9e920c9bd..87260b02d 100644
--- a/common/cmd_itest.c
+++ b/common/cmd_itest.c
@@ -12,7 +12,7 @@
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	 See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
@@ -159,13 +159,13 @@ int binary_test (char *op, char *arg1, char *arg2, int w)
 /* command line interface to the shell test */
 int do_itest ( cmd_tbl_t *cmdtp, int flag, int argc, char *argv[] )
 {
-        int	value, w;
+	int	value, w;
 
-        /* Validate arguments */
-        if ((argc != 4)){
+	/* Validate arguments */
+	if ((argc != 4)){
 		printf("Usage:\n%s\n", cmdtp->usage);
-        	return 1;
-        }
+		return 1;
+	}
 
 	/* Check for a data width specification.
 	 * Defaults to long (4) if no specification.
@@ -192,6 +192,6 @@ int do_itest ( cmd_tbl_t *cmdtp, int flag, int argc, char *argv[] )
 
 U_BOOT_CMD(
 	itest, 4, 0, do_itest,
-	"itest   - return true/false on integer compare\n",
+	"itest	 - return true/false on integer compare\n",
 	"[.b, .w, .l, .s] [*]value1 <op> [*]value2\n"
 );
diff --git a/common/usb.c b/common/usb.c
index a96052a0c..1bb9438f2 100644
--- a/common/usb.c
+++ b/common/usb.c
@@ -25,7 +25,6 @@
  *
  */
 
-
 /*
  * How it works:
  *
@@ -47,7 +46,7 @@
 #endif
 
 
-#undef USB_DEBUG
+/* #define USB_DEBUG */
 
 #ifdef	USB_DEBUG
 #define	USB_PRINTF(fmt,args...)	printf (fmt ,##args)
@@ -55,6 +54,8 @@
 #define USB_PRINTF(fmt,args...)
 #endif
 
+#define USB_BUFSIZ	512
+
 static struct usb_device usb_dev[USB_MAX_DEVICE];
 static int dev_index;
 static int running;
@@ -387,6 +388,12 @@ int usb_get_configuration_no(struct usb_device *dev,unsigned char *buffer,int cf
 	}
 	tmp=swap_16(config->wTotalLength);
 
+	if (tmp > USB_BUFSIZ) {
+		USB_PRINTF("usb_get_configuration_no: failed to get descriptor - too long: %d\n",
+			tmp);
+		return -1;
+	}
+
 	result = usb_get_descriptor(dev, USB_DT_CONFIG, cfgno, buffer, tmp);
 	USB_PRINTF("get_conf_no %d Result %d, wLength %d\n",cfgno,result,tmp);
 	return result;
@@ -516,8 +523,7 @@ int usb_get_string(struct usb_device *dev, unsigned short langid, unsigned char
  */
 int usb_string(struct usb_device *dev, int index, char *buf, size_t size)
 {
-
-	unsigned char mybuf[256];
+	unsigned char mybuf[USB_BUFSIZ];
 	unsigned char *tbuf;
 	int err;
 	unsigned int u, idx;
@@ -551,6 +557,12 @@ int usb_string(struct usb_device *dev, int index, char *buf, size_t size)
 		return err;
 	u=tbuf[0];
 	USB_PRINTF("Strn Len %d, index %d\n",u,index);
+
+	if (u > USB_BUFSIZ) {
+		USB_PRINTF("usb_string: failed to get string - too long: %d\n", u);
+		return -1;
+	}
+
 	err = usb_get_string(dev, dev->string_langid, index, tbuf, u);
 	if (err < 0)
 		return err;
@@ -619,7 +631,7 @@ int usb_new_device(struct usb_device *dev)
 {
 	int addr, err;
 	int tmp;
-	unsigned char tmpbuf[256];
+	unsigned char tmpbuf[USB_BUFSIZ];
 
 	dev->descriptor.bMaxPacketSize0 = 8;  /* Start off at 8 bytes  */
 	dev->maxpacketsize = 0;		/* Default to 8 byte max packet size */
@@ -895,7 +907,7 @@ void usb_hub_port_connect_change(struct usb_device *dev, int port)
 
 int usb_hub_configure(struct usb_device *dev)
 {
-	unsigned char buffer[256], *bitmap;
+	unsigned char buffer[USB_BUFSIZ], *bitmap;
 	struct usb_hub_descriptor *descriptor;
 	struct usb_hub_status *hubsts;
 	int i;
@@ -912,6 +924,13 @@ int usb_hub_configure(struct usb_device *dev)
 		return -1;
 	}
 	descriptor = (struct usb_hub_descriptor *)buffer;
+
+	if (descriptor->bLength > USB_BUFSIZ) {
+		USB_HUB_PRINTF("usb_hub_configure: failed to get hub descriptor - too long: %d\N",
+			descriptor->bLength);
+		return -1;
+	}
+
 	if (usb_get_hub_descriptor(dev, buffer, descriptor->bLength) < 0) {
 		USB_HUB_PRINTF("usb_hub_configure: failed to get hub descriptor 2nd giving up %lX\n",dev->status);
 		return -1;
@@ -968,6 +987,12 @@ int usb_hub_configure(struct usb_device *dev)
 	for (i = 0; i < dev->maxchild; i++)
 		USB_HUB_PRINTF("port %d is%s removable\n", i + 1,
 			hub->desc.DeviceRemovable[(i + 1)/8] & (1 << ((i + 1)%8)) ? " not" : "");
+	if (sizeof(struct usb_hub_status) > USB_BUFSIZ) {
+		USB_HUB_PRINTF("usb_hub_configure: failed to get Status - too long: %d\n",
+			descriptor->bLength);
+		return -1;
+	}
+
 	if (usb_get_hub_status(dev, buffer) < 0) {
 		USB_HUB_PRINTF("usb_hub_configure: failed to get Status %lX\n",dev->status);
 		return -1;
author	wdenk <wdenk>	2004-02-23 20:48:38 +0000
committer	wdenk <wdenk>	2004-02-23 20:48:38 +0000
commit	cd0a9de68b03e5a54fd2a08f44be318e4397be01 (patch)
tree	161762b51f26b604823009e2bcc1c7b3105c6361 /common
parent	2d1a537d87727907bf4d888760cba4abc0b52ad3 (diff)
download	olio-uboot-2014.01-cd0a9de68b03e5a54fd2a08f44be318e4397be01.tar.xz olio-uboot-2014.01-cd0a9de68b03e5a54fd2a08f44be318e4397be01.zip