From owner-svn-src-user@FreeBSD.ORG  Sat Sep 25 01:23:27 2010
Return-Path: <owner-svn-src-user@FreeBSD.ORG>
Delivered-To: svn-src-user@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1BA021065698;
	Sat, 25 Sep 2010 01:23:27 +0000 (UTC)
	(envelope-from weongyo@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id F40478FC36;
	Sat, 25 Sep 2010 01:23:26 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o8P1NQ6Z045346;
	Sat, 25 Sep 2010 01:23:26 GMT (envelope-from weongyo@svn.freebsd.org)
Received: (from weongyo@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id o8P1NQG2045344;
	Sat, 25 Sep 2010 01:23:26 GMT (envelope-from weongyo@svn.freebsd.org)
Message-Id: <201009250123.o8P1NQG2045344@svn.freebsd.org>
From: Weongyo Jeong <weongyo@FreeBSD.org>
Date: Sat, 25 Sep 2010 01:23:26 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-user@freebsd.org
X-SVN-Group: user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r213151 - user/weongyo/usb/sys/dev/usb
X-BeenThere: svn-src-user@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the experimental &quot; user&quot;
	src tree" <svn-src-user.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-user>,
	<mailto:svn-src-user-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-user>
List-Post: <mailto:svn-src-user@freebsd.org>
List-Help: <mailto:svn-src-user-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-user>,
	<mailto:svn-src-user-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Sep 2010 01:23:27 -0000

Author: weongyo
Date: Sat Sep 25 01:23:26 2010
New Revision: 213151
URL: http://svn.freebsd.org/changeset/base/213151

Log:
  Adds an assertion to check the buffer boundary.

Modified:
  user/weongyo/usb/sys/dev/usb/usb_busdma.c

Modified: user/weongyo/usb/sys/dev/usb/usb_busdma.c
==============================================================================
--- user/weongyo/usb/sys/dev/usb/usb_busdma.c	Sat Sep 25 01:18:01 2010	(r213150)
+++ user/weongyo/usb/sys/dev/usb/usb_busdma.c	Sat Sep 25 01:23:26 2010	(r213151)
@@ -126,6 +126,13 @@ usbd_copy_in(struct usb_page_cache *cach
 		if (buf_res.length > len) {
 			buf_res.length = len;
 		}
+
+		/* Checks the buffer boundary */
+		USB_ASSERT((char *)buf_res.buffer + buf_res.length <=
+		    (char *)cache->buffer + cache->buflen,
+		    ("overflow is happened (%p %d/%p %d)", buf_res.buffer,
+			buf_res.length, cache->buffer, cache->buflen));
+
 		bcopy(ptr, buf_res.buffer, buf_res.length);
 
 		offset += buf_res.length;
@@ -156,6 +163,13 @@ usbd_copy_in_user(struct usb_page_cache 
 		if (buf_res.length > len) {
 			buf_res.length = len;
 		}
+
+		/* Checks the buffer boundary */
+		USB_ASSERT((char *)buf_res.buffer + buf_res.length <=
+		    (char *)cache->buffer + cache->buflen,
+		    ("overflow is happened (%p %d/%p %d)", buf_res.buffer,
+			buf_res.length, cache->buffer, cache->buflen));
+
 		error = copyin(ptr, buf_res.buffer, buf_res.length);
 		if (error)
 			return (error);
@@ -216,6 +230,13 @@ usb_uiomove(struct usb_page_cache *pc, s
 		if (res.length > len) {
 			res.length = len;
 		}
+
+		/* Checks the buffer boundary */
+		USB_ASSERT((char *)res.buffer + res.length <=
+		    (char *)pc->buffer + pc->buflen,
+		    ("overflow is happened (%p %d/%p %d)", res.buffer,
+			res.length, pc->buffer, pc->buflen));
+
 		/*
 		 * "uiomove()" can sleep so one needs to make a wrapper,
 		 * exiting the mutex and checking things
@@ -248,6 +269,13 @@ usbd_copy_out(struct usb_page_cache *cac
 		if (res.length > len) {
 			res.length = len;
 		}
+
+		/* Checks the buffer boundary */
+		USB_ASSERT((char *)res.buffer + res.length <=
+		    (char *)cache->buffer + cache->buflen,
+		    ("overflow is happened (%p %d/%p %d)", res.buffer,
+			res.length, cache->buffer, cache->buflen));
+
 		bcopy(res.buffer, ptr, res.length);
 
 		offset += res.length;
@@ -278,6 +306,13 @@ usbd_copy_out_user(struct usb_page_cache
 		if (res.length > len) {
 			res.length = len;
 		}
+
+		/* Checks the buffer boundary */
+		USB_ASSERT((char *)res.buffer + res.length <=
+		    (char *)cache->buffer + cache->buflen,
+		    ("overflow is happened (%p %d/%p %d)", res.buffer,
+			res.length, cache->buffer, cache->buflen));
+
 		error = copyout(res.buffer, ptr, res.length);
 		if (error)
 			return (error);
@@ -306,6 +341,13 @@ usbd_frame_zero(struct usb_page_cache *c
 		if (res.length > len) {
 			res.length = len;
 		}
+
+		/* Checks the buffer boundary */
+		USB_ASSERT((char *)res.buffer + res.length <=
+		    (char *)cache->buffer + cache->buflen,
+		    ("overflow is happened (%p %d/%p %d)", res.buffer,
+			res.length, cache->buffer, cache->buflen));
+
 		bzero(res.buffer, res.length);
 
 		offset += res.length;