diff options
| author | Martin Pieuchot <mpi@cvs.openbsd.org> | 2015-09-01 10:00:27 +0000 |
|---|---|---|
| committer | Martin Pieuchot <mpi@cvs.openbsd.org> | 2015-09-01 10:00:27 +0000 |
| commit | 139d1399389601b5d2f1a58a44198692bc417ad4 (patch) | |
| tree | 953577acd98fb4538ae4594a403db3872eb8ae9b /sys | |
| parent | 8376bab155e6fb1531053181fd916f3a68632fbb (diff) | |
Reject USB requests that could damage the bus integrity, just like it
is done in ugen(4).
Found by Grant Czajkowski during the GSoC 2015.
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/dev/usb/usb.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/sys/dev/usb/usb.c b/sys/dev/usb/usb.c index 499e09b7607..24be6326ed2 100644 --- a/sys/dev/usb/usb.c +++ b/sys/dev/usb/usb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: usb.c,v 1.107 2015/03/14 03:38:50 jsg Exp $ */ +/* $OpenBSD: usb.c,v 1.108 2015/09/01 10:00:26 mpi Exp $ */ /* $NetBSD: usb.c,v 1.77 2003/01/01 00:10:26 thorpej Exp $ */ /* @@ -622,7 +622,16 @@ usbioctl(dev_t devt, u_long cmd, caddr_t data, int flag, struct proc *p) return (EBADF); DPRINTF(("usbioctl: USB_REQUEST addr=%d len=%d\n", addr, len)); - if (len < 0 || len > 32768) + /* Avoid requests that would damage the bus integrity. */ + if ((ur->ucr_request.bmRequestType == UT_WRITE_DEVICE && + ur->ucr_request.bRequest == UR_SET_ADDRESS) || + (ur->ucr_request.bmRequestType == UT_WRITE_DEVICE && + ur->ucr_request.bRequest == UR_SET_CONFIG) || + (ur->ucr_request.bmRequestType == UT_WRITE_INTERFACE && + ur->ucr_request.bRequest == UR_SET_INTERFACE)) + return (EINVAL); + + if (len < 0 || len > 32767) return (EINVAL); if (addr < 0 || addr >= USB_MAX_DEVICES) return (EINVAL); |