diff options
| author | wdenk <wdenk> | 2004-02-23 20:48:38 +0000 |
|---|---|---|
| committer | wdenk <wdenk> | 2004-02-23 20:48:38 +0000 |
| commit | cd0a9de68b03e5a54fd2a08f44be318e4397be01 (patch) | |
| tree | 161762b51f26b604823009e2bcc1c7b3105c6361 /common | |
| parent | 2d1a537d87727907bf4d888760cba4abc0b52ad3 (diff) | |
| download | talos-obmc-uboot-cd0a9de68b03e5a54fd2a08f44be318e4397be01.tar.gz talos-obmc-uboot-cd0a9de68b03e5a54fd2a08f44be318e4397be01.zip | |
* Patch by Laurent Mohin, 10 Feb 2004:
Fix buffer overflow in common/usb.c
* Patch by Tolunay Orkun, 10 Feb 2004:
Add support for Cogent CSB272 board
* Code cleanup
Diffstat (limited to 'common')
| -rw-r--r-- | common/cmd_ace.c | 7 | ||||
| -rw-r--r-- | common/cmd_itest.c | 14 | ||||
| -rw-r--r-- | common/usb.c | 37 |
3 files changed, 38 insertions, 20 deletions
diff --git a/common/cmd_ace.c b/common/cmd_ace.c index ee77f13568..555fbe3988 100644 --- a/common/cmd_ace.c +++ b/common/cmd_ace.c @@ -195,11 +195,4 @@ static unsigned long systemace_read(int dev, return blkcnt; } - - #endif - -/* - * $Log: $ - */ - diff --git a/common/cmd_itest.c b/common/cmd_itest.c index 9e920c9bdc..87260b02d6 100644 --- a/common/cmd_itest.c +++ b/common/cmd_itest.c @@ -12,7 +12,7 @@ * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License @@ -159,13 +159,13 @@ int binary_test (char *op, char *arg1, char *arg2, int w) /* command line interface to the shell test */ int do_itest ( cmd_tbl_t *cmdtp, int flag, int argc, char *argv[] ) { - int value, w; + int value, w; - /* Validate arguments */ - if ((argc != 4)){ + /* Validate arguments */ + if ((argc != 4)){ printf("Usage:\n%s\n", cmdtp->usage); - return 1; - } + return 1; + } /* Check for a data width specification. * Defaults to long (4) if no specification. @@ -192,6 +192,6 @@ int do_itest ( cmd_tbl_t *cmdtp, int flag, int argc, char *argv[] ) U_BOOT_CMD( itest, 4, 0, do_itest, - "itest - return true/false on integer compare\n", + "itest - return true/false on integer compare\n", "[.b, .w, .l, .s] [*]value1 <op> [*]value2\n" ); diff --git a/common/usb.c b/common/usb.c index a96052a0c0..1bb9438f2a 100644 --- a/common/usb.c +++ b/common/usb.c @@ -25,7 +25,6 @@ * */ - /* * How it works: * @@ -47,7 +46,7 @@ #endif -#undef USB_DEBUG +/* #define USB_DEBUG */ #ifdef USB_DEBUG #define USB_PRINTF(fmt,args...) printf (fmt ,##args) @@ -55,6 +54,8 @@ #define USB_PRINTF(fmt,args...) #endif +#define USB_BUFSIZ 512 + static struct usb_device usb_dev[USB_MAX_DEVICE]; static int dev_index; static int running; @@ -387,6 +388,12 @@ int usb_get_configuration_no(struct usb_device *dev,unsigned char *buffer,int cf } tmp=swap_16(config->wTotalLength); + if (tmp > USB_BUFSIZ) { + USB_PRINTF("usb_get_configuration_no: failed to get descriptor - too long: %d\n", + tmp); + return -1; + } + result = usb_get_descriptor(dev, USB_DT_CONFIG, cfgno, buffer, tmp); USB_PRINTF("get_conf_no %d Result %d, wLength %d\n",cfgno,result,tmp); return result; @@ -516,8 +523,7 @@ int usb_get_string(struct usb_device *dev, unsigned short langid, unsigned char */ int usb_string(struct usb_device *dev, int index, char *buf, size_t size) { - - unsigned char mybuf[256]; + unsigned char mybuf[USB_BUFSIZ]; unsigned char *tbuf; int err; unsigned int u, idx; @@ -551,6 +557,12 @@ int usb_string(struct usb_device *dev, int index, char *buf, size_t size) return err; u=tbuf[0]; USB_PRINTF("Strn Len %d, index %d\n",u,index); + + if (u > USB_BUFSIZ) { + USB_PRINTF("usb_string: failed to get string - too long: %d\n", u); + return -1; + } + err = usb_get_string(dev, dev->string_langid, index, tbuf, u); if (err < 0) return err; @@ -619,7 +631,7 @@ int usb_new_device(struct usb_device *dev) { int addr, err; int tmp; - unsigned char tmpbuf[256]; + unsigned char tmpbuf[USB_BUFSIZ]; dev->descriptor.bMaxPacketSize0 = 8; /* Start off at 8 bytes */ dev->maxpacketsize = 0; /* Default to 8 byte max packet size */ @@ -895,7 +907,7 @@ void usb_hub_port_connect_change(struct usb_device *dev, int port) int usb_hub_configure(struct usb_device *dev) { - unsigned char buffer[256], *bitmap; + unsigned char buffer[USB_BUFSIZ], *bitmap; struct usb_hub_descriptor *descriptor; struct usb_hub_status *hubsts; int i; @@ -912,6 +924,13 @@ int usb_hub_configure(struct usb_device *dev) return -1; } descriptor = (struct usb_hub_descriptor *)buffer; + + if (descriptor->bLength > USB_BUFSIZ) { + USB_HUB_PRINTF("usb_hub_configure: failed to get hub descriptor - too long: %d\N", + descriptor->bLength); + return -1; + } + if (usb_get_hub_descriptor(dev, buffer, descriptor->bLength) < 0) { USB_HUB_PRINTF("usb_hub_configure: failed to get hub descriptor 2nd giving up %lX\n",dev->status); return -1; @@ -968,6 +987,12 @@ int usb_hub_configure(struct usb_device *dev) for (i = 0; i < dev->maxchild; i++) USB_HUB_PRINTF("port %d is%s removable\n", i + 1, hub->desc.DeviceRemovable[(i + 1)/8] & (1 << ((i + 1)%8)) ? " not" : ""); + if (sizeof(struct usb_hub_status) > USB_BUFSIZ) { + USB_HUB_PRINTF("usb_hub_configure: failed to get Status - too long: %d\n", + descriptor->bLength); + return -1; + } + if (usb_get_hub_status(dev, buffer) < 0) { USB_HUB_PRINTF("usb_hub_configure: failed to get Status %lX\n",dev->status); return -1; |
