diff options
| author | Anton Staaf <robotboy@chromium.org> | 2016-03-02 14:11:55 -0800 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2016-03-02 20:26:20 -0800 |
| commit | bb0c3687e650415314284dabe6b00c1f5a6c42da (patch) | |
| tree | 441726d760097d9fcb9f4884841be34ce4a81c99 /chip | |
| parent | ad7d6516b5dc041f9d2b1947dd550a592db09e0c (diff) | |
| download | chrome-ec-bb0c3687e650415314284dabe6b00c1f5a6c42da.tar.gz | |
USB: Add bounds checking to USB-SPI bridge read
Previously a bogus rx_count value from the USB hardware could have
caused a buffer overflow while copying from the packet ram to the DMA
bounce buffer. I'm not sure if it is possible to cause the hardware
to generate a bogus rx_count, I doubt it, but this is now nicely
paranoid
Signed-off-by: Anton Staaf <robotboy@chromium.org>
BRANCH=None
BUG=None
TEST=make buildall -j
Test SPI bridge functionality on discover board
Change-Id: I080ba1c1f05c2b0a86a4c6eb89e8c1387827466e
Reviewed-on: https://chromium-review.googlesource.com/329849
Commit-Ready: Anton Staaf <robotboy@chromium.org>
Tested-by: Anton Staaf <robotboy@chromium.org>
Reviewed-by: Nick Sanders <nsanders@google.com>
Diffstat (limited to 'chip')
| -rw-r--r-- | chip/stm32/usb_spi.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/chip/stm32/usb_spi.c b/chip/stm32/usb_spi.c index 0f63cbbe65..1a54d5f6b7 100644 --- a/chip/stm32/usb_spi.c +++ b/chip/stm32/usb_spi.c @@ -9,6 +9,7 @@ #include "spi.h" #include "usb_descriptor.h" #include "usb_spi.h" +#include "util.h" static int16_t usb_spi_map_error(int error) { @@ -20,16 +21,17 @@ static int16_t usb_spi_map_error(int error) } } -static uint8_t usb_spi_read_packet(struct usb_spi_config const *config) +static uint16_t usb_spi_read_packet(struct usb_spi_config const *config) { - size_t i; - uint8_t count = btable_ep[config->endpoint].rx_count & 0x3ff; + size_t i; + uint16_t bytes = btable_ep[config->endpoint].rx_count & 0x3ff; + size_t count = MAX((bytes + 1) / 2, USB_MAX_PACKET_SIZE / 2); /* * The USB peripheral doesn't support DMA access to its packet * RAM so we have to copy messages out into a bounce buffer. */ - for (i = 0; i < (count + 1) / 2; ++i) + for (i = 0; i < count; ++i) config->buffer[i] = config->rx_ram[i]; /* @@ -39,7 +41,7 @@ static uint8_t usb_spi_read_packet(struct usb_spi_config const *config) */ STM32_TOGGLE_EP(config->endpoint, EP_RX_MASK, EP_RX_VALID, 0); - return count; + return bytes; } static void usb_spi_write_packet(struct usb_spi_config const *config, @@ -85,9 +87,9 @@ void usb_spi_deferred(struct usb_spi_config const *config) * response. */ if (!rx_valid(config)) { - uint8_t count = usb_spi_read_packet(config); - uint8_t write_count = (config->buffer[0] >> 0) & 0xff; - uint8_t read_count = (config->buffer[0] >> 8) & 0xff; + uint16_t count = usb_spi_read_packet(config); + uint8_t write_count = (config->buffer[0] >> 0) & 0xff; + uint8_t read_count = (config->buffer[0] >> 8) & 0xff; if (!config->state->enabled) { config->buffer[0] = USB_SPI_DISABLED; |