[ros-diffs] [janderwald] 55810: [USBUHCI] - Detect the size of the configuration descriptor before obtaining the full configuration descriptor - Fix integer overflow in BuildTransferDescriptorChain

22 Feb 2012

Author: janderwald
Date: Wed Feb 22 18:34:39 2012
New Revision: 55810

URL: http://svn.reactos.org/svn/reactos?rev=55810&view=rev
Log:
[USBUHCI]
- Detect the size of the configuration descriptor before obtaining the full configuration
descriptor
- Fix integer overflow in BuildTransferDescriptorChain

Modified:
    trunk/reactos/drivers/usb/usbuhci/usb_device.cpp
    trunk/reactos/drivers/usb/usbuhci/usb_request.cpp

Modified: trunk/reactos/drivers/usb/usbuhci/usb_device.cpp
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/usb/usbuhci/usb_de…
==============================================================================

--- trunk/reactos/drivers/usb/usbuhci/usb_device.cpp [iso-8859-1] (original)
+++ trunk/reactos/drivers/usb/usbuhci/usb_device.cpp [iso-8859-1] Wed Feb 22 18:34:39
2012
@@ -787,7 +787,7 @@
     CtrlSetup.wValue.LowByte = Index;
     CtrlSetup.wValue.HiByte = USB_CONFIGURATION_DESCRIPTOR_TYPE;
     CtrlSetup.wIndex.W = 0;
-    CtrlSetup.wLength = PAGE_SIZE;
+    CtrlSetup.wLength = sizeof(USB_CONFIGURATION_DESCRIPTOR);
 
     //
     // now build MDL describing the buffer
@@ -810,7 +810,7 @@
     //
     // commit packet
     //
-    Status = CommitSetupPacket(&CtrlSetup, 0, PAGE_SIZE, Mdl);
+    Status = CommitSetupPacket(&CtrlSetup, 0, sizeof(USB_CONFIGURATION_DESCRIPTOR),
Mdl);
     if (!NT_SUCCESS(Status))
     {
         //
@@ -822,26 +822,66 @@
     }
 
     //
+    // get configuration descriptor
+    //
+    ConfigurationDescriptor = (PUSB_CONFIGURATION_DESCRIPTOR)Buffer;
+
+    //
+    // sanity checks
+    //
+    ASSERT(ConfigurationDescriptor->bLength == sizeof(USB_CONFIGURATION_DESCRIPTOR));
+    ASSERT(ConfigurationDescriptor->wTotalLength <= PAGE_SIZE);
+    ASSERT(ConfigurationDescriptor->bNumInterfaces);
+    ASSERT(ConfigurationDescriptor->wTotalLength);
+    ASSERT(ConfigurationDescriptor->bDescriptorType ==
USB_CONFIGURATION_DESCRIPTOR_TYPE);
+
+    //
+    // informal debug print
+    //
+    DumpConfigurationDescriptor(ConfigurationDescriptor);
+
+    //
+    // build setup packet
+    //
+    CtrlSetup.bmRequestType._BM.Recipient = BMREQUEST_TO_DEVICE;
+    CtrlSetup.bmRequestType._BM.Type = BMREQUEST_STANDARD;
+    CtrlSetup.bmRequestType._BM.Reserved = 0;
+    CtrlSetup.bmRequestType._BM.Dir = BMREQUEST_DEVICE_TO_HOST;
+    CtrlSetup.bRequest = USB_REQUEST_GET_DESCRIPTOR;
+    CtrlSetup.wValue.LowByte = Index;
+    CtrlSetup.wValue.HiByte = USB_CONFIGURATION_DESCRIPTOR_TYPE;
+    CtrlSetup.wIndex.W = 0;
+    CtrlSetup.wLength = ConfigurationDescriptor->wTotalLength;
+
+    //
+    // commit packet
+    //
+    Status = CommitSetupPacket(&CtrlSetup, 0,
ConfigurationDescriptor->wTotalLength, Mdl);
+    if (!NT_SUCCESS(Status))
+    {
+        //
+        // failed to issue request, cleanup
+        //
+        IoFreeMdl(Mdl);
+        ExFreePool(Buffer);
+        return Status;
+    }
+
+    //
     // now free the mdl
     //
     IoFreeMdl(Mdl);
 
-    //
-    // get configuration descriptor
-    //
-    ConfigurationDescriptor = (PUSB_CONFIGURATION_DESCRIPTOR)Buffer;
-
-    //
-    // informal debug print
-    //
-    DumpConfigurationDescriptor(ConfigurationDescriptor);
 
     //
     // sanity check
     //
-    PC_ASSERT(ConfigurationDescriptor->bLength ==
sizeof(USB_CONFIGURATION_DESCRIPTOR));
-    PC_ASSERT(ConfigurationDescriptor->wTotalLength <= PAGE_SIZE);
-    PC_ASSERT(ConfigurationDescriptor->bNumInterfaces);
+    ASSERT(ConfigurationDescriptor->bLength == sizeof(USB_CONFIGURATION_DESCRIPTOR));
+    ASSERT(ConfigurationDescriptor->wTotalLength <= PAGE_SIZE);
+    ASSERT(ConfigurationDescriptor->bNumInterfaces);
+    ASSERT(ConfigurationDescriptor->wTotalLength);
+    ASSERT(ConfigurationDescriptor->bDescriptorType ==
USB_CONFIGURATION_DESCRIPTOR_TYPE);
+
 
     //
     // request is complete, initialize configuration descriptor

Modified: trunk/reactos/drivers/usb/usbuhci/usb_request.cpp
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/usb/usbuhci/usb_re…
==============================================================================
--- trunk/reactos/drivers/usb/usbuhci/usb_request.cpp [iso-8859-1] (original)
+++ trunk/reactos/drivers/usb/usbuhci/usb_request.cpp [iso-8859-1] Wed Feb 22 18:34:39
2012
@@ -823,14 +823,14 @@
     OUT PUCHAR OutDataToggle)
 {
     PUHCI_TRANSFER_DESCRIPTOR FirstDescriptor = NULL, CurrentDescriptor, LastDescriptor =
NULL;
-    UCHAR TransferBufferOffset = 0;
+    ULONG TransferBufferOffset = 0;
     NTSTATUS Status;
     ULONG MaxPacketSize, CurrentBufferSize;
 
     //
     // FIXME FIXME FIXME FIXME FIXME 
     //
-    MaxPacketSize = 64; //1280;
+    MaxPacketSize = 1280;
 
     do
     {



    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[ros-diffs] [janderwald] 55810: [USBUHCI] - Detect the size of the configuration descriptor before obtaining the full configuration descriptor - Fix integer overflow in BuildTransferDescriptorChain