Date: Sat, 7 Nov 2009 01:02:39 GMT From: Hans Petter Selasky <hselasky@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 170304 for review Message-ID: <200911070102.nA712dKn008846@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/chv.cgi?CH=170304 Change 170304 by hselasky@hselasky_laptop001 on 2009/11/07 01:02:23 LibUSB: - fix a memory leak on the USB backend - fix invalid pointer computations (in one case memory outside the allocated area was written in LibUSB v1.0) - make sure memory is always initialised, also in failing cases - patch by: Robert Jenssen Affected files ... .. //depot/projects/usb/src/lib/libusb/libusb10.c#12 edit .. //depot/projects/usb/src/lib/libusb/libusb10_desc.c#9 edit .. //depot/projects/usb/src/lib/libusb/libusb20.c#8 edit .. //depot/projects/usb/src/lib/libusb/libusb20_desc.c#4 edit .. //depot/projects/usb/src/lib/libusb/libusb20_ugen20.c#10 edit Differences ... ==== //depot/projects/usb/src/lib/libusb/libusb10.c#12 (text+ko) ==== @@ -416,6 +416,8 @@ libusb10_remove_pollfd(ctx, &dev->dev_poll); libusb20_dev_close(pdev); + + /* unref will free the "pdev" when the refcount reaches zero */ libusb_unref_device(dev); /* make sure our event loop detects the closed device */ ==== //depot/projects/usb/src/lib/libusb/libusb10_desc.c#9 (text+ko) ==== @@ -35,6 +35,8 @@ #include "libusb.h" #include "libusb10.h" +#define N_ALIGN(n) (-((-(n)) & (-8UL))) + /* USB descriptors */ int @@ -114,17 +116,17 @@ nalt = nif = pconf->num_interface; nep = 0; - nextra = pconf->extra.len; + nextra = N_ALIGN(pconf->extra.len); for (i = 0; i < nif; i++) { pinf = pconf->interface + i; - nextra += pinf->extra.len; + nextra += N_ALIGN(pinf->extra.len); nep += pinf->num_endpoints; k = pinf->num_endpoints; pend = pinf->endpoints; while (k--) { - nextra += pend->extra.len; + nextra += N_ALIGN(pend->extra.len); pend++; } @@ -132,12 +134,12 @@ nalt += pinf->num_altsetting; pinf = pinf->altsetting; while (j--) { - nextra += pinf->extra.len; + nextra += N_ALIGN(pinf->extra.len); nep += pinf->num_endpoints; k = pinf->num_endpoints; pend = pinf->endpoints; while (k--) { - nextra += pend->extra.len; + nextra += N_ALIGN(pend->extra.len); pend++; } pinf++; @@ -150,17 +152,18 @@ (nalt * sizeof(libusb_interface_descriptor)) + (nep * sizeof(libusb_endpoint_descriptor)); + nextra = N_ALIGN(nextra); + pconfd = malloc(nextra); if (pconfd == NULL) { free(pconf); return (LIBUSB_ERROR_NO_MEM); } - /* make sure memory is clean */ + /* make sure memory is initialised */ memset(pconfd, 0, nextra); - pconfd->interface = (libusb_interface *) (pconfd + - sizeof(libusb_config_descriptor)); + pconfd->interface = (libusb_interface *) (pconfd + 1); ifd = (libusb_interface_descriptor *) (pconfd->interface + nif); endd = (libusb_endpoint_descriptor *) (ifd + nalt); @@ -181,7 +184,7 @@ pconfd->extra_length = pconf->extra.len; pconfd->extra = pextra; memcpy(pextra, pconf->extra.ptr, pconfd->extra_length); - pextra += pconfd->extra_length; + pextra += N_ALIGN(pconfd->extra_length); } /* setup all interface and endpoint pointers */ @@ -221,7 +224,7 @@ ifd->extra_length = pinf->extra.len; ifd->extra = pextra; memcpy(pextra, pinf->extra.ptr, pinf->extra.len); - pextra += pinf->extra.len; + pextra += N_ALIGN(pinf->extra.len); } for (k = 0; k < pinf->num_endpoints; k++) { pend = &pinf->endpoints[k]; @@ -238,7 +241,7 @@ endd->extra_length = pend->extra.len; endd->extra = pextra; memcpy(pextra, pend->extra.ptr, pend->extra.len); - pextra += pend->extra.len; + pextra += N_ALIGN(pend->extra.len); } } } ==== //depot/projects/usb/src/lib/libusb/libusb20.c#8 (text+ko) ==== @@ -630,6 +630,9 @@ struct LIBUSB20_CONTROL_SETUP_DECODED req; int error; + /* make sure memory is initialised */ + memset(ptr, 0, len); + if (len < 4) { /* invalid length */ return (LIBUSB20_ERROR_INVALID_PARAM); @@ -1093,7 +1096,8 @@ if (pbe->methods->exit_backend) { pbe->methods->exit_backend(pbe); } - return; + /* free backend */ + free(pbe); } void @@ -1101,7 +1105,6 @@ { pdev->beMethods = pbe->methods; /* copy backend methods */ TAILQ_INSERT_TAIL(&(pbe->usb_devs), pdev, dev_entry); - return; } void @@ -1109,5 +1112,4 @@ struct libusb20_device *pdev) { TAILQ_REMOVE(&(pbe->usb_devs), pdev, dev_entry); - return; } ==== //depot/projects/usb/src/lib/libusb/libusb20_desc.c#4 (text+ko) ==== @@ -118,6 +118,9 @@ if (lub_config == NULL) { return (NULL); /* out of memory */ } + /* make sure memory is initialised */ + memset(lub_config, 0, size); + lub_interface = (void *)(lub_config + 1); lub_alt_interface = (void *)(lub_interface + niface_no_alt); lub_endpoint = (void *)(lub_interface + niface); ==== //depot/projects/usb/src/lib/libusb/libusb20_ugen20.c#10 (text+ko) ==== @@ -449,6 +449,8 @@ uint16_t len; int error; + /* make sure memory is initialised */ + memset(&cdesc, 0, sizeof(cdesc)); memset(&gen_desc, 0, sizeof(gen_desc)); gen_desc.ugd_data = &cdesc; @@ -468,6 +470,10 @@ if (!ptr) { return (LIBUSB20_ERROR_NO_MEM); } + + /* make sure memory is initialised */ + memset(ptr, 0, len); + gen_desc.ugd_data = ptr; gen_desc.ugd_maxlen = len;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911070102.nA712dKn008846>