diff options
| author |   mpi <mpi@openbsd.org> | 2013-05-17 09:14:08 +0000 |
|---|---|---|
| committer | mpi <mpi@openbsd.org> | 2013-05-17 09:14:08 +0000 |
| commit | 8fbca9e20746f26958936d3559fb03b04f024d64 (patch) | |
| tree | ee634d535ac9860df8b81fa7c3467b600dc5ddec | |
| parent | Don't leak information to userland in case the actual transfer length is (diff) | |
| download | wireguard-openbsd-8fbca9e20746f26958936d3559fb03b04f024d64.tar.xz wireguard-openbsd-8fbca9e20746f26958936d3559fb03b04f024d64.zip | |
Make it clear that the code related to a transfer submission doesn't
leak anything to userland because it doesn't set the USBD_SHORT_XFER_OK
flag.
Also prevent a bad copy/paste from introducing a similar issue by using
the actual transferred length instead of the requested one in uiomove().
ok miod@
| -rw-r--r-- | sys/dev/usb/urio.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/sys/dev/usb/urio.c b/sys/dev/usb/urio.c index bf6feeb72dc..ac202ed2b5d 100644 --- a/sys/dev/usb/urio.c +++ b/sys/dev/usb/urio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: urio.c,v 1.41 2013/04/15 09:23:02 mglocker Exp $ */ +/* $OpenBSD: urio.c,v 1.42 2013/05/17 09:14:08 mpi Exp $ */ /* $NetBSD: urio.c,v 1.15 2002/10/23 09:14:02 jdolecek Exp $ */ /* @@ -427,7 +427,6 @@ urioioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p) struct uio uio; usb_device_request_t req; usbd_status err; - int req_flags = 0; u_int32_t req_actlen = 0; void *ptr = NULL; int error = 0; @@ -492,7 +491,7 @@ urioioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p) sc->sc_refcnt++; - err = usbd_do_request_flags(sc->sc_udev, &req, ptr, req_flags, + err = usbd_do_request_flags(sc->sc_udev, &req, ptr, 0, &req_actlen, USBD_DEFAULT_TIMEOUT); if (--sc->sc_refcnt < 0) @@ -501,8 +500,8 @@ urioioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p) if (err) { error = EIO; } else { - if (len != 0 && uio.uio_rw == UIO_READ) - error = uiomove(ptr, len, &uio); + if (req_actlen != 0 && uio.uio_rw == UIO_READ) + error = uiomove(ptr, req_actlen, &uio); } ret: |