From 4877f634cc9e54158974fe8f80ce4362181678a1 Mon Sep 17 00:00:00 2001
From: Johannes Anderwald <johannes.anderwald@reactos.org>
Date: Wed, 22 Feb 2012 18:34:39 +0000
Subject: [PATCH] [USBUHCI] - Detect the size of the configuration descriptor
 before obtaining the full configuration descriptor - Fix integer overflow in
 BuildTransferDescriptorChain

svn path=/trunk/; revision=55810
---
 reactos/drivers/usb/usbuhci/usb_device.cpp  | 68 ++++++++++++++++-----
 reactos/drivers/usb/usbuhci/usb_request.cpp |  4 +-
 2 files changed, 56 insertions(+), 16 deletions(-)

diff --git a/reactos/drivers/usb/usbuhci/usb_device.cpp b/reactos/drivers/usb/usbuhci/usb_device.cpp
index 3bd4d29a2a5..8ec9f95c59c 100644
--- a/reactos/drivers/usb/usbuhci/usb_device.cpp
+++ b/reactos/drivers/usb/usbuhci/usb_device.cpp
@@ -787,7 +787,7 @@ CUSBDevice::CreateConfigurationDescriptor(
     CtrlSetup.wValue.LowByte = Index;
     CtrlSetup.wValue.HiByte = USB_CONFIGURATION_DESCRIPTOR_TYPE;
     CtrlSetup.wIndex.W = 0;
-    CtrlSetup.wLength = PAGE_SIZE;
+    CtrlSetup.wLength = sizeof(USB_CONFIGURATION_DESCRIPTOR);
 
     //
     // now build MDL describing the buffer
@@ -810,7 +810,53 @@ CUSBDevice::CreateConfigurationDescriptor(
     //
     // commit packet
     //
-    Status = CommitSetupPacket(&CtrlSetup, 0, PAGE_SIZE, Mdl);
+    Status = CommitSetupPacket(&CtrlSetup, 0, sizeof(USB_CONFIGURATION_DESCRIPTOR), Mdl);
+    if (!NT_SUCCESS(Status))
+    {
+        //
+        // failed to issue request, cleanup
+        //
+        IoFreeMdl(Mdl);
+        ExFreePool(Buffer);
+        return Status;
+    }
+
+    //
+    // get configuration descriptor
+    //
+    ConfigurationDescriptor = (PUSB_CONFIGURATION_DESCRIPTOR)Buffer;
+
+    //
+    // sanity checks
+    //
+    ASSERT(ConfigurationDescriptor->bLength == sizeof(USB_CONFIGURATION_DESCRIPTOR));
+    ASSERT(ConfigurationDescriptor->wTotalLength <= PAGE_SIZE);
+    ASSERT(ConfigurationDescriptor->bNumInterfaces);
+    ASSERT(ConfigurationDescriptor->wTotalLength);
+    ASSERT(ConfigurationDescriptor->bDescriptorType == USB_CONFIGURATION_DESCRIPTOR_TYPE);
+
+    //
+    // informal debug print
+    //
+    DumpConfigurationDescriptor(ConfigurationDescriptor);
+
+    //
+    // build setup packet
+    //
+    CtrlSetup.bmRequestType._BM.Recipient = BMREQUEST_TO_DEVICE;
+    CtrlSetup.bmRequestType._BM.Type = BMREQUEST_STANDARD;
+    CtrlSetup.bmRequestType._BM.Reserved = 0;
+    CtrlSetup.bmRequestType._BM.Dir = BMREQUEST_DEVICE_TO_HOST;
+    CtrlSetup.bRequest = USB_REQUEST_GET_DESCRIPTOR;
+    CtrlSetup.wValue.LowByte = Index;
+    CtrlSetup.wValue.HiByte = USB_CONFIGURATION_DESCRIPTOR_TYPE;
+    CtrlSetup.wIndex.W = 0;
+    CtrlSetup.wLength = ConfigurationDescriptor->wTotalLength;
+
+    //
+    // commit packet
+    //
+    Status = CommitSetupPacket(&CtrlSetup, 0, ConfigurationDescriptor->wTotalLength, Mdl);
     if (!NT_SUCCESS(Status))
     {
         //
@@ -826,22 +872,16 @@ CUSBDevice::CreateConfigurationDescriptor(
     //
     IoFreeMdl(Mdl);
 
-    //
-    // get configuration descriptor
-    //
-    ConfigurationDescriptor = (PUSB_CONFIGURATION_DESCRIPTOR)Buffer;
-
-    //
-    // informal debug print
-    //
-    DumpConfigurationDescriptor(ConfigurationDescriptor);
 
     //
     // sanity check
     //
-    PC_ASSERT(ConfigurationDescriptor->bLength == sizeof(USB_CONFIGURATION_DESCRIPTOR));
-    PC_ASSERT(ConfigurationDescriptor->wTotalLength <= PAGE_SIZE);
-    PC_ASSERT(ConfigurationDescriptor->bNumInterfaces);
+    ASSERT(ConfigurationDescriptor->bLength == sizeof(USB_CONFIGURATION_DESCRIPTOR));
+    ASSERT(ConfigurationDescriptor->wTotalLength <= PAGE_SIZE);
+    ASSERT(ConfigurationDescriptor->bNumInterfaces);
+    ASSERT(ConfigurationDescriptor->wTotalLength);
+    ASSERT(ConfigurationDescriptor->bDescriptorType == USB_CONFIGURATION_DESCRIPTOR_TYPE);
+
 
     //
     // request is complete, initialize configuration descriptor
diff --git a/reactos/drivers/usb/usbuhci/usb_request.cpp b/reactos/drivers/usb/usbuhci/usb_request.cpp
index 49103c7f34c..6408694decf 100644
--- a/reactos/drivers/usb/usbuhci/usb_request.cpp
+++ b/reactos/drivers/usb/usbuhci/usb_request.cpp
@@ -823,14 +823,14 @@ CUSBRequest::BuildTransferDescriptorChain(
     OUT PUCHAR OutDataToggle)
 {
     PUHCI_TRANSFER_DESCRIPTOR FirstDescriptor = NULL, CurrentDescriptor, LastDescriptor = NULL;
-    UCHAR TransferBufferOffset = 0;
+    ULONG TransferBufferOffset = 0;
     NTSTATUS Status;
     ULONG MaxPacketSize, CurrentBufferSize;
 
     //
     // FIXME FIXME FIXME FIXME FIXME 
     //
-    MaxPacketSize = 64; //1280;
+    MaxPacketSize = 1280;
 
     do
     {