Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-07-23 13:03:47 +00:00
Code Issues Projects Releases Packages Wiki Activity

[USBPORT] Correctly handle alternate settings returned from USBPORT_ParseConfigurationDescriptor.

Browse source 
The last parameter of USBPORT_ParseConfigurationDescriptor is a pointer
to a boolean indicating whether any alternate interface settings were
found for the specified interface.
Interpreting it as an alternate setting value, as we did before,
would always override the alternate setting to '1' (if any alternate
descriptors were present), therefore selecting the wrong interface
setting, and possibly causing a buffer overflow on the InterfaceList's
Pipes array.

Found by Special Pool.
This commit is contained in:
Thomas Faber 2019-03-06 09:57:23 +01:00
parent 36c1cb0910
commit ac20ab031c
No known key found for this signature in database
GPG key ID: 076E7C3D44720826
1 changed files with 9 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

17
drivers/usb/usbport/device.c
View file

@ -186,7 +186,7 @@ NTAPI
USBPORT_ParseConfigurationDescriptor(IN PUSB_CONFIGURATION_DESCRIPTOR ConfigDescriptor,
IN UCHAR InterfaceNumber,
IN UCHAR Alternate,
OUT PUCHAR OutAlternate)
OUT PBOOLEAN HasAlternates)
{
PUSB_CONFIGURATION_DESCRIPTOR TmpDescriptor;
PUSB_INTERFACE_DESCRIPTOR iDescriptor;
@ -197,8 +197,8 @@ USBPORT_ParseConfigurationDescriptor(IN PUSB_CONFIGURATION_DESCRIPTOR ConfigDesc
DPRINT("USBPORT_ParseConfigurationDescriptor ... \n");
if (OutAlternate)
*OutAlternate = 0;
if (HasAlternates)
*HasAlternates = FALSE;
for (TmpDescriptor = (PUSB_CONFIGURATION_DESCRIPTOR)((ULONG_PTR)ConfigDescriptor + ConfigDescriptor->bLength);
TmpDescriptor->bDescriptorType != USB_INTERFACE_DESCRIPTOR_TYPE && TmpDescriptor->bLength > 0;
@ -235,8 +235,8 @@ USBPORT_ParseConfigurationDescriptor(IN PUSB_CONFIGURATION_DESCRIPTOR ConfigDesc
++ix;
}
if ((ix > 1) && OutAlternate)
*OutAlternate = 1;
if ((ix > 1) && HasAlternates)
*HasAlternates = TRUE;
return OutDescriptor;
}
@ -256,6 +256,7 @@ USBPORT_OpenInterface(IN PURB Urb,
PUSBPORT_PIPE_HANDLE PipeHandle;
PUSB_ENDPOINT_DESCRIPTOR Descriptor;
PUSBD_PIPE_INFORMATION PipeInfo;
BOOLEAN HasAlternates;
ULONG NumEndpoints;
SIZE_T Length;
SIZE_T HandleLength;
@ -271,14 +272,14 @@ USBPORT_OpenInterface(IN PURB Urb,
InterfaceDescriptor = USBPORT_ParseConfigurationDescriptor(ConfigHandle->ConfigurationDescriptor,
InterfaceInfo->InterfaceNumber,
InterfaceInfo->AlternateSetting,
&InterfaceInfo->AlternateSetting);
&HasAlternates);
NumEndpoints = InterfaceDescriptor->bNumEndpoints;
Length = FIELD_OFFSET(USBD_INTERFACE_INFORMATION, Pipes) +
NumEndpoints * sizeof(USBD_PIPE_INFORMATION);
if (InterfaceInfo->AlternateSetting && IsSetInterface)
if (HasAlternates && IsSetInterface)
{
DPRINT1("USBPORT_OpenInterface: InterfaceInfo->AlternateSetting && IsSetInterface !\n");
}
@ -491,7 +492,7 @@ USBPORT_InitInterfaceInfo(IN PUSBD_INTERFACE_INFORMATION InterfaceInfo,
Descriptor = USBPORT_ParseConfigurationDescriptor(ConfigHandle->ConfigurationDescriptor,
InterfaceInfo->InterfaceNumber,
InterfaceInfo->AlternateSetting,
&InterfaceInfo->AlternateSetting);
NULL);
Length = sizeof(USBD_INTERFACE_INFORMATION) +
sizeof(USBD_PIPE_INFORMATION);