While I haven't yet gotten around to trying DFU with this patch applied, my guess as to the issue would be the checks of the form "if (ctrl-> bRequestType == USB_DIR_OUT)" or "if (ctrl->bRequestType == USB_DIR_IN)". The bRequestType field contains many flag bits other than the direction bit. The checks should just check that the USB_DIR_IN bit (0x80) is set or not set, rather than checking if the entire ctrl->bRequestType field equals some value.
Sultan On Mon, Nov 28, 2022 at 7:48 AM Marek Vasut <ma...@denx.de> wrote: > On 11/21/22 18:34, Tom Rini wrote: > > On Thu, Nov 03, 2022 at 09:37:48AM +0530, Venkatesh Yadav Abbarapu wrote: > > > >> DFU implementation does not bound the length field in USB > >> DFU download setup packets, and it does not verify that > >> the transfer direction. Fixing the length and transfer > >> direction. > >> > >> CVE-2022-2347 > >> > >> Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbar...@amd.com> > >> Reviewed-by: Marek Vasut <ma...@denx.de> > > > > Applied to u-boot/master, thanks! > > So this breaks DFU support in SPL as I just found out. > Any idea why ? >
