Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 25 Sep 2010 01:23:26 +0000 (UTC)
From:      Weongyo Jeong <weongyo@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-user@freebsd.org
Subject:   svn commit: r213151 - user/weongyo/usb/sys/dev/usb
Message-ID:  <201009250123.o8P1NQG2045344@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: weongyo
Date: Sat Sep 25 01:23:26 2010
New Revision: 213151
URL: http://svn.freebsd.org/changeset/base/213151

Log:
  Adds an assertion to check the buffer boundary.

Modified:
  user/weongyo/usb/sys/dev/usb/usb_busdma.c

Modified: user/weongyo/usb/sys/dev/usb/usb_busdma.c
==============================================================================
--- user/weongyo/usb/sys/dev/usb/usb_busdma.c	Sat Sep 25 01:18:01 2010	(r213150)
+++ user/weongyo/usb/sys/dev/usb/usb_busdma.c	Sat Sep 25 01:23:26 2010	(r213151)
@@ -126,6 +126,13 @@ usbd_copy_in(struct usb_page_cache *cach
 		if (buf_res.length > len) {
 			buf_res.length = len;
 		}
+
+		/* Checks the buffer boundary */
+		USB_ASSERT((char *)buf_res.buffer + buf_res.length <=
+		    (char *)cache->buffer + cache->buflen,
+		    ("overflow is happened (%p %d/%p %d)", buf_res.buffer,
+			buf_res.length, cache->buffer, cache->buflen));
+
 		bcopy(ptr, buf_res.buffer, buf_res.length);
 
 		offset += buf_res.length;
@@ -156,6 +163,13 @@ usbd_copy_in_user(struct usb_page_cache 
 		if (buf_res.length > len) {
 			buf_res.length = len;
 		}
+
+		/* Checks the buffer boundary */
+		USB_ASSERT((char *)buf_res.buffer + buf_res.length <=
+		    (char *)cache->buffer + cache->buflen,
+		    ("overflow is happened (%p %d/%p %d)", buf_res.buffer,
+			buf_res.length, cache->buffer, cache->buflen));
+
 		error = copyin(ptr, buf_res.buffer, buf_res.length);
 		if (error)
 			return (error);
@@ -216,6 +230,13 @@ usb_uiomove(struct usb_page_cache *pc, s
 		if (res.length > len) {
 			res.length = len;
 		}
+
+		/* Checks the buffer boundary */
+		USB_ASSERT((char *)res.buffer + res.length <=
+		    (char *)pc->buffer + pc->buflen,
+		    ("overflow is happened (%p %d/%p %d)", res.buffer,
+			res.length, pc->buffer, pc->buflen));
+
 		/*
 		 * "uiomove()" can sleep so one needs to make a wrapper,
 		 * exiting the mutex and checking things
@@ -248,6 +269,13 @@ usbd_copy_out(struct usb_page_cache *cac
 		if (res.length > len) {
 			res.length = len;
 		}
+
+		/* Checks the buffer boundary */
+		USB_ASSERT((char *)res.buffer + res.length <=
+		    (char *)cache->buffer + cache->buflen,
+		    ("overflow is happened (%p %d/%p %d)", res.buffer,
+			res.length, cache->buffer, cache->buflen));
+
 		bcopy(res.buffer, ptr, res.length);
 
 		offset += res.length;
@@ -278,6 +306,13 @@ usbd_copy_out_user(struct usb_page_cache
 		if (res.length > len) {
 			res.length = len;
 		}
+
+		/* Checks the buffer boundary */
+		USB_ASSERT((char *)res.buffer + res.length <=
+		    (char *)cache->buffer + cache->buflen,
+		    ("overflow is happened (%p %d/%p %d)", res.buffer,
+			res.length, cache->buffer, cache->buflen));
+
 		error = copyout(res.buffer, ptr, res.length);
 		if (error)
 			return (error);
@@ -306,6 +341,13 @@ usbd_frame_zero(struct usb_page_cache *c
 		if (res.length > len) {
 			res.length = len;
 		}
+
+		/* Checks the buffer boundary */
+		USB_ASSERT((char *)res.buffer + res.length <=
+		    (char *)cache->buffer + cache->buflen,
+		    ("overflow is happened (%p %d/%p %d)", res.buffer,
+			res.length, cache->buffer, cache->buflen));
+
 		bzero(res.buffer, res.length);
 
 		offset += res.length;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201009250123.o8P1NQG2045344>