Gitiles
Code Review Sign In
gerrit.devboardsforandroid.linaro.org / platform / external / u-boot / eaf3e613ea6f0dc95c94a93997ad62785fe2969c^! / . / common / usb_hub.c
commiteaf3e613ea6f0dc95c94a93997ad62785fe2969c[log] [tgz]
authorJulius Werner <jwerner@chromium.org>Fri Jul 19 13:12:08 2013 -0700
committerMarek Vasut <marex@denx.de>Mon Aug 26 21:56:34 2013 +0200
tree37cad21b6993b25dc9b82245cc84ec4db0780713
parent1572eadfbc8e0ec7e6a4b80034eb4c30abe96739 [diff] [blame]
usb: Use well-known descriptor sizes when parsing configuration

The existing USB configuration parsing code relies on the descriptors'
own length values when reading through the configuration blob. Since the
size of those descriptors is always well-defined, we should rather use
the known sizes instead of trusting device-provided values to be
correct. Also adds some safety to potential out-of-order descriptors.

Change-Id: I16f69dfdd6793aa0fe930b5148d4521f3e5c3090
Signed-off-by: Julius Werner <jwerner@chromium.org>

diff --git a/common/usb_hub.c b/common/usb_hub.c
index fd2b4ed..ffac0e7 100644
--- a/common/usb_hub.c
+++ b/common/usb_hub.c

@@ -306,7 +306,7 @@
 
 static int usb_hub_configure(struct usb_device *dev)
 {
-	int i;
+	int i, length;
 	ALLOC_CACHE_ALIGN_BUFFER(unsigned char, buffer, USB_BUFSIZ);
 	unsigned char *bitmap;
 	short hubCharacteristics;
@@ -327,20 +327,14 @@
 	}
 	descriptor = (struct usb_hub_descriptor *)buffer;
 
-	/* silence compiler warning if USB_BUFSIZ is > 256 [= sizeof(char)] */
-	i = descriptor->bLength;
-	if (i > USB_BUFSIZ) {
-		debug("usb_hub_configure: failed to get hub " \
-		      "descriptor - too long: %d\n", descriptor->bLength);
-		return -1;
-	}
+	length = min(descriptor->bLength, sizeof(struct usb_hub_descriptor));
 
-	if (usb_get_hub_descriptor(dev, buffer, descriptor->bLength) < 0) {
+	if (usb_get_hub_descriptor(dev, buffer, length) < 0) {
 		debug("usb_hub_configure: failed to get hub " \
 		      "descriptor 2nd giving up %lX\n", dev->status);
 		return -1;
 	}
-	memcpy((unsigned char *)&hub->desc, buffer, descriptor->bLength);
+	memcpy((unsigned char *)&hub->desc, buffer, length);
 	/* adjust 16bit values */
 	put_unaligned(le16_to_cpu(get_unaligned(
 			&descriptor->wHubCharacteristics)),