From patchwork Thu Oct 11 05:30:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Hutchings X-Patchwork-Id: 10636079 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0681517E1 for ; Thu, 11 Oct 2018 05:31:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DA61E2B003 for ; Thu, 11 Oct 2018 05:31:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D8B6B2AFC7; Thu, 11 Oct 2018 05:31:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F45F2B022 for ; Thu, 11 Oct 2018 05:31:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727729AbeJKM4e (ORCPT ); Thu, 11 Oct 2018 08:56:34 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:50110 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726070AbeJKM4e (ORCPT ); Thu, 11 Oct 2018 08:56:34 -0400 Received: from ben by shadbolt.decadent.org.uk with local (Exim 4.84_2) (envelope-from ) id 1gATYn-0004UY-NB; Thu, 11 Oct 2018 06:30:58 +0100 Date: Thu, 11 Oct 2018 06:30:57 +0100 From: Ben Hutchings To: Valentina Manea , Shuah Khan Cc: linux-usb@vger.kernel.org Message-ID: <20181011053057.GA3375@decadent.org.uk> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: ben@decadent.org.uk Subject: [PATCH] usbip: vhci_hcd: Check rhport everywhere in vhci_hub_control() X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000) X-SA-Exim-Scanned: Yes (on shadbolt.decadent.org.uk) Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Commit 5b22f676118f "usbip: vhci_hcd: check rhport before using in vhci_hub_control()" added some validation of rhport, but left several problems: - If VHCI_HC_PORTS < 256, we can get rhport >= VHCI_HC_PORTS which is also out of range. To keep things simple, set rhport to -1 if this would happen. - For GetPortStatus, we range-check wIndex (and by implication rhport) and report an error, but *don't* skip the following code. Add a goto to the error path. - At the end of the function, there's one last port_status lookup that's not protected by any range check. Fixes: 5b22f676118f ("usbip: vhci_hcd: check rhport before using in ...") Cc: stable@vger.kernel.org Signed-off-by: Ben Hutchings --- drivers/usb/usbip/vhci_hcd.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index d11f3f8dad40..e259d3812641 100644 --- a/drivers/usb/usbip/vhci_hcd.c +++ b/drivers/usb/usbip/vhci_hcd.c @@ -334,9 +334,12 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, usbip_dbg_vhci_rh("typeReq %x wValue %x wIndex %x\n", typeReq, wValue, wIndex); - if (wIndex > VHCI_HC_PORTS) + if (wIndex > VHCI_HC_PORTS) { pr_err("invalid port number %d\n", wIndex); - rhport = wIndex - 1; + rhport = -1; + } else { + rhport = wIndex - 1; + } vhci_hcd = hcd_to_vhci_hcd(hcd); vhci = vhci_hcd->vhci; @@ -414,10 +417,10 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, *(__le32 *) buf = cpu_to_le32(0); break; case GetPortStatus: - usbip_dbg_vhci_rh(" GetPortStatus port %x\n", wIndex); - if (wIndex < 1) { - pr_err("invalid port number %d\n", wIndex); - retval = -EPIPE; + usbip_dbg_vhci_rh(" GetPortStatus port %x\n", rhport); + if (rhport < 0) { + pr_err("invalid port number %d\n", rhport); + goto error; } /* we do not care about resume. */ @@ -618,7 +621,7 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, spin_unlock_irqrestore(&vhci->lock, flags); - if ((vhci_hcd->port_status[rhport] & PORT_C_MASK) != 0) + if (rhport >= 0 && (vhci_hcd->port_status[rhport] & PORT_C_MASK) != 0) usb_hcd_poll_rh_status(hcd); return retval;