From: Oleksij Rempel Date: Thu, 18 Jul 2013 14:44:46 +0000 (+0200) Subject: k2_fw_usb_api: prevent buffer overflow. X-Git-Tag: 1.4.0~11^2~7 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=e3e96797ec020bba955ae59e173044987e5d4806;p=open-ath9k-htc-firmware.git k2_fw_usb_api: prevent buffer overflow. This was reproduced on intel USB 3.0 controller. After getting corrupt packet we was jumping bejond allocated buffer. Insted of oopsing we can at lest warn hier. Signed-off-by: Oleksij Rempel --- diff --git a/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c b/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c index b8adbf4..0be8a87 100755 --- a/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c +++ b/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c @@ -452,6 +452,11 @@ void vUsb_Reg_Out_patch(void) // accumulate the size cmdLen += usbfifolen; + if (cmdLen > buf->desc_list->buf_size) { + A_PRINTF("Data length on EP4 FIFO is bigger as allocated buffer data!" + " Drop it!\n"); + goto ERR; + } // round it to alignment if(usbfifolen % 4)