projects
/
open-ath9k-htc-firmware.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
k2_fw_usb_api: prevent buffer overflow.
[open-ath9k-htc-firmware.git]
/
target_firmware
/
magpie_fw_dev
/
target
/
hif
/
k2_fw_usb_api.c
diff --git
a/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c
b/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c
index 8c1ac84bd967404eea9b6c7968cea1da138ebcc1..0be8a8744ed0f89d5c11cd9085e33b7eea17efa8 100755
(executable)
--- a/
target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c
+++ b/
target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c
@@
-354,7
+354,7
@@
void _fw_usb_reset_fifo(void)
volatile uint32_t *reg_data;
HAL_BYTE_REG_WRITE(0x100ae, (HAL_BYTE_REG_READ(0x100ae)|0x10));
volatile uint32_t *reg_data;
HAL_BYTE_REG_WRITE(0x100ae, (HAL_BYTE_REG_READ(0x100ae)|0x10));
- HAL_BYTE_REG_WRITE(0x100a
e
, (HAL_BYTE_REG_READ(0x100af)|0x10));
+ HAL_BYTE_REG_WRITE(0x100a
f
, (HAL_BYTE_REG_READ(0x100af)|0x10));
// disable ep3 int enable, so that resume back won't send wdt magic pattern out!!!
mUSB_STATUS_IN_INT_DISABLE();
// disable ep3 int enable, so that resume back won't send wdt magic pattern out!!!
mUSB_STATUS_IN_INT_DISABLE();
@@
-418,6
+418,10
@@
void vUsb_Reg_Out_patch(void)
// get the size of this transcation
usbfifolen = USB_BYTE_REG_READ(ZM_EP4_BYTE_COUNT_LOW_OFFSET);
// get the size of this transcation
usbfifolen = USB_BYTE_REG_READ(ZM_EP4_BYTE_COUNT_LOW_OFFSET);
+ if (usbfifolen > 0x40) {
+ A_PRINTF("EP4 FIFO Bug? Buffer is too big: %x\n", usbfifolen);
+ goto ERR;
+ }
// check is command is new
if( cmd_is_new ){
// check is command is new
if( cmd_is_new ){
@@
-448,6
+452,11
@@
void vUsb_Reg_Out_patch(void)
// accumulate the size
cmdLen += usbfifolen;
// accumulate the size
cmdLen += usbfifolen;
+ if (cmdLen > buf->desc_list->buf_size) {
+ A_PRINTF("Data length on EP4 FIFO is bigger as allocated buffer data!"
+ " Drop it!\n");
+ goto ERR;
+ }
// round it to alignment
if(usbfifolen % 4)
// round it to alignment
if(usbfifolen % 4)