git: e889a462d878 - main - usbhid(4): Fix NULL pointer dereference in usbd_xfer_max_len()

Vladimir Kondratyev wulf at FreeBSD.org
Fri May 28 20:31:19 UTC 2021


The branch main has been updated by wulf:

URL: https://cgit.FreeBSD.org/src/commit/?id=e889a462d878675551b227a382764c3879e6c2b3

commit e889a462d878675551b227a382764c3879e6c2b3
Author:     Vladimir Kondratyev <wulf at FreeBSD.org>
AuthorDate: 2021-05-28 20:13:44 +0000
Commit:     Vladimir Kondratyev <wulf at FreeBSD.org>
CommitDate: 2021-05-28 20:29:42 +0000

    usbhid(4): Fix NULL pointer dereference in usbd_xfer_max_len()
    
    Which happens when USB transfer setup is failed.
    
    MFC after:      1 week
    PR:             254974
    Reviewed by:    hselasky
    Differential revision:  https://reviews.freebsd.org/D30485
---
 sys/dev/usb/input/usbhid.c | 64 +++++++++++++++++++++++++++++++++++-----------
 1 file changed, 49 insertions(+), 15 deletions(-)

diff --git a/sys/dev/usb/input/usbhid.c b/sys/dev/usb/input/usbhid.c
index 70b1f4ae99c2..4fb846840b8a 100644
--- a/sys/dev/usb/input/usbhid.c
+++ b/sys/dev/usb/input/usbhid.c
@@ -308,6 +308,22 @@ static const struct usb_config usbhid_config[USBHID_N_TRANSFER] = {
 	},
 };
 
+static inline usb_frlength_t
+usbhid_xfer_max_len(struct usb_xfer *xfer)
+{
+	return (xfer == NULL ? 0 : usbd_xfer_max_len(xfer));
+}
+
+static inline int
+usbhid_xfer_check_len(struct usbhid_softc* sc, int xfer_idx, hid_size_t len)
+{
+	if (sc->sc_xfer[xfer_idx] == NULL)
+		return (ENODEV);
+	if (len > usbd_xfer_max_len(sc->sc_xfer[xfer_idx]))
+		return (ENOBUFS);
+	return (0);
+}
+
 static void
 usbhid_intr_setup(device_t dev, hid_intr_t intr, void *context,
     struct hid_rdesc_info *rdesc)
@@ -320,6 +336,7 @@ usbhid_intr_setup(device_t dev, hid_intr_t intr, void *context,
 	sc->sc_intr_handler = intr;
 	sc->sc_intr_ctx = context;
 	bcopy(usbhid_config, sc->sc_config, sizeof(usbhid_config));
+	bzero(sc->sc_xfer, sizeof(sc->sc_xfer));
 
 	/* Set buffer sizes to match HID report sizes */
 	sc->sc_config[USBHID_INTR_OUT_DT].bufsize = rdesc->osize;
@@ -342,17 +359,15 @@ usbhid_intr_setup(device_t dev, hid_intr_t intr, void *context,
 		    sc->sc_xfer + n, sc->sc_config + n, 1,
 		    (void *)(sc->sc_xfer_ctx + n), &sc->sc_mtx);
 		if (error)
-			break;
+			DPRINTF("xfer %d setup error=%s\n", n,
+			    usbd_errstr(error));
 	}
 
-	if (error)
-		DPRINTF("error=%s\n", usbd_errstr(error));
-
-	rdesc->rdsize = usbd_xfer_max_len(sc->sc_xfer[USBHID_INTR_IN_DT]);
-	rdesc->grsize = usbd_xfer_max_len(sc->sc_xfer[USBHID_CTRL_DT]);
+	rdesc->rdsize = usbhid_xfer_max_len(sc->sc_xfer[USBHID_INTR_IN_DT]);
+	rdesc->grsize = usbhid_xfer_max_len(sc->sc_xfer[USBHID_CTRL_DT]);
 	rdesc->srsize = rdesc->grsize;
 	rdesc->wrsize = nowrite ? rdesc->srsize :
-	    usbd_xfer_max_len(sc->sc_xfer[USBHID_INTR_OUT_DT]);
+	    usbhid_xfer_max_len(sc->sc_xfer[USBHID_INTR_OUT_DT]);
 
 	sc->sc_intr_buf = malloc(rdesc->rdsize, M_USBDEV, M_ZERO | M_WAITOK);
 }
@@ -371,6 +386,9 @@ usbhid_intr_start(device_t dev)
 {
 	struct usbhid_softc* sc = device_get_softc(dev);
 
+	if (sc->sc_xfer[USBHID_INTR_IN_DT] == NULL)
+		return (ENODEV);
+
 	mtx_lock(&sc->sc_mtx);
 	sc->sc_xfer_ctx[USBHID_INTR_IN_DT] = (struct usbhid_xfer_ctx) {
 		.req.intr.maxlen =
@@ -493,8 +511,9 @@ usbhid_get_report(device_t dev, void *buf, hid_size_t maxlen,
 	union usbhid_device_request req;
 	int error;
 
-	if (maxlen > usbd_xfer_max_len(sc->sc_xfer[USBHID_CTRL_DT]))
-		return (ENOBUFS);
+	error = usbhid_xfer_check_len(sc, USBHID_CTRL_DT, maxlen);
+	if (error)
+		return (error);
 
 	req.ctrl.bmRequestType = UT_READ_CLASS_INTERFACE;
 	req.ctrl.bRequest = UR_GET_REPORT;
@@ -516,9 +535,11 @@ usbhid_set_report(device_t dev, const void *buf, hid_size_t len, uint8_t type,
 {
 	struct usbhid_softc* sc = device_get_softc(dev);
 	union usbhid_device_request req;
+	int error;
 
-	if (len > usbd_xfer_max_len(sc->sc_xfer[USBHID_CTRL_DT]))
-		return (ENOBUFS);
+	error = usbhid_xfer_check_len(sc, USBHID_CTRL_DT, len);
+	if (error)
+		return (error);
 
 	req.ctrl.bmRequestType = UT_WRITE_CLASS_INTERFACE;
 	req.ctrl.bRequest = UR_SET_REPORT;
@@ -538,8 +559,9 @@ usbhid_read(device_t dev, void *buf, hid_size_t maxlen, hid_size_t *actlen)
 	union usbhid_device_request req;
 	int error;
 
-	if (maxlen > usbd_xfer_max_len(sc->sc_xfer[USBHID_INTR_IN_DT]))
-		return (ENOBUFS);
+	error = usbhid_xfer_check_len(sc, USBHID_INTR_IN_DT, maxlen);
+	if (error)
+		return (error);
 
 	req.intr.maxlen = maxlen;
 	error = usbhid_sync_xfer(sc, USBHID_INTR_IN_DT, &req, buf);
@@ -554,9 +576,11 @@ usbhid_write(device_t dev, const void *buf, hid_size_t len)
 {
 	struct usbhid_softc* sc = device_get_softc(dev);
 	union usbhid_device_request req;
+	int error;
 
-	if (len > usbd_xfer_max_len(sc->sc_xfer[USBHID_INTR_OUT_DT]))
-		return (ENOBUFS);
+	error = usbhid_xfer_check_len(sc, USBHID_INTR_OUT_DT, len);
+	if (error)
+		return (error);
 
 	req.intr.maxlen = len;
 	return (usbhid_sync_xfer(sc, USBHID_INTR_OUT_DT, &req,
@@ -568,6 +592,11 @@ usbhid_set_idle(device_t dev, uint16_t duration, uint8_t id)
 {
 	struct usbhid_softc* sc = device_get_softc(dev);
 	union usbhid_device_request req;
+	int error;
+
+	error = usbhid_xfer_check_len(sc, USBHID_CTRL_DT, 0);
+	if (error)
+		return (error);
 
 	/* Duration is measured in 4 milliseconds per unit. */
 	req.ctrl.bmRequestType = UT_WRITE_CLASS_INTERFACE;
@@ -585,6 +614,11 @@ usbhid_set_protocol(device_t dev, uint16_t protocol)
 {
 	struct usbhid_softc* sc = device_get_softc(dev);
 	union usbhid_device_request req;
+	int error;
+
+	error = usbhid_xfer_check_len(sc, USBHID_CTRL_DT, 0);
+	if (error)
+		return (error);
 
 	req.ctrl.bmRequestType = UT_WRITE_CLASS_INTERFACE;
 	req.ctrl.bRequest = UR_SET_PROTOCOL;


More information about the dev-commits-src-main mailing list