From c34360b6b8a503a19219e73232f62f0f98d27044 Mon Sep 17 00:00:00 2001 From: Xiaoguang Wu Date: Mon, 4 Jun 2018 09:59:40 +0800 Subject: [PATCH] DM USB: Fix potential crash issues. This patch fix some potential crash issues, like wild pointers access, buffer overflow and etc. Change-Id: Iddd8e1820da426adc6b9b4d9da9e44017d9f365c Signed-off-by: Xiaoguang Wu Reviewed-by: Yu Wang Acked-by: Eddie Dong --- devicemodel/hw/pci/xhci.c | 11 ++++++++--- devicemodel/hw/platform/usb_pmapper.c | 6 +++++- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/devicemodel/hw/pci/xhci.c b/devicemodel/hw/pci/xhci.c index 0e6b3c711..9602a70b4 100644 --- a/devicemodel/hw/pci/xhci.c +++ b/devicemodel/hw/pci/xhci.c @@ -748,7 +748,8 @@ pci_xhci_dev_destroy(struct pci_xhci_dev_emu *de) if (ue->ue_deinit) ue->ue_deinit(ud); } - } + } else + return; if (ue->ue_devtype == USB_DEV_PORT_MAPPER) free(ue); @@ -3314,7 +3315,8 @@ pci_xhci_parse_bus_port(struct pci_xhci_vdev *xdev, char *opts) /* 'bus-port' format */ cnt = sscanf(opts, "%u-%u", &bus, &port); - if (cnt == EOF || cnt < 2) { + if (cnt == EOF || cnt < 2 || bus >= USB_NATIVE_NUM_BUS || + port >= USB_NATIVE_NUM_PORT) { rc = -1; goto errout; } @@ -3534,7 +3536,10 @@ errout: xdev->portregs = NULL; } UPRINTF(LFTL, "fail to parse xHCI options, rc=%d\r\n", rc); - pci_xhci_device_usage(opts); + + if (opts) + pci_xhci_device_usage(opts); + return rc; } diff --git a/devicemodel/hw/platform/usb_pmapper.c b/devicemodel/hw/platform/usb_pmapper.c index b7d342350..e0177a7f0 100644 --- a/devicemodel/hw/platform/usb_pmapper.c +++ b/devicemodel/hw/platform/usb_pmapper.c @@ -149,7 +149,7 @@ usb_dev_prepare_xfer(struct usb_data_xfer *xfer, int *count, int *size) found = 0; first = -1; c = s = 0; - if (!count || !size) + if (!count || !size || idx < 0 || idx >= USB_MAX_XFER_BLOCKS) return -1; for (i = 0; i < xfer->ndata; i++) { @@ -452,6 +452,10 @@ usb_dev_prepare_ctrl_xfer(struct usb_data_xfer *xfer) struct usb_data_xfer_block *blk = NULL; idx = xfer->head; + + if (idx < 0 || idx >= USB_MAX_XFER_BLOCKS) + return NULL; + for (i = 0; i < xfer->ndata; i++) { /* * find out the data block and set every