Hi, Jonathan.
(2012/12/12 0:25), Jonathan A. Kollasch wrote:
> On Tue, Dec 11, 2012 at 09:17:32AM +0000, SAITOH Masanobu wrote:
>> Module Name: src
>> Committed By: msaitoh
>> Date: Tue Dec 11 09:17:32 UTC 2012
>>
>> Modified Files:
>> src/sys/dev/usb: ubsa_common.c
>>
>> Log Message:
>> Fix off by one read error.
>>
>>
>> To generate a diff of this commit:
>> cvs rdiff -u -r1.8 -r1.9 src/sys/dev/usb/ubsa_common.c
>
> Judging by the other usage of UBSA_MAXCONN, it appears it was correct
> before.
>
> Jonathan Kollasch
The diff is as follows:
> Index: ubsa_common.c
> ===================================================================
> RCS file: /cvsroot/src/sys/dev/usb/ubsa_common.c,v
> retrieving revision 1.8
> retrieving revision 1.9
> diff -U 9 -r1.8 -r1.9
> --- ubsa_common.c 24 Feb 2012 06:48:25 -0000 1.8
> +++ ubsa_common.c 11 Dec 2012 09:17:31 -0000 1.9
> @@ -99,19 +99,19 @@
> {
> usb_device_request_t req;
> usbd_status err;
>
> if (sc->sc_quadumts)
> req.bmRequestType = UT_WRITE_CLASS_INTERFACE;
> else
> req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
>
> - if (portno > UBSA_MAXCONN) {
> + if (portno >= UBSA_MAXCONN) {
> printf("%s: ubsa_request: invalid port(%d)#\n",
> device_xname(sc->sc_dev), portno);
> return USBD_INVAL;
> }
>
> req.bRequest = request;
> USETW(req.wValue, value);
> USETW(req.wIndex, sc->sc_iface_number[portno]);
> USETW(req.wLength, 0);
And ubsavar.h says:
> #define UBSA_MAXCONN 3
>
> struct ubsa_softc {
> device_t sc_dev; /* base device */
> usbd_device_handle sc_udev; /* USB device */
> usbd_interface_handle sc_iface[UBSA_MAXCONN]; /* interface */
>
> int sc_iface_number[UBSA_MAXCONN]; /* interface
> number */
> int sc_config_index; /* USB CONFIG_INDEX */
>
If we allow portno == 3, sc_iface_number[portno] overruns.
--
-----------------------------------------------
SAITOH Masanobu (msai...@execsw.org
msai...@netbsd.org)
