Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 8 Mar 2009 22:58:19 +0000 (UTC)
From:      Andrew Thompson <thompsa@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r189547 - head/sys/dev/usb
Message-ID:  <200903082258.n28MwJJq001730@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: thompsa
Date: Sun Mar  8 22:58:19 2009
New Revision: 189547
URL: http://svn.freebsd.org/changeset/base/189547

Log:
  MFp4 //depot/projects/usb@158868
  
  Fix bugs and improve HID parsing.
  - fix possible memory leak found
  - fix possible NULL pointer access
  - fix possible invalid memory read
  - parsing improvements
  - reset item data position when a new report ID is detected.
  
  Submitted by:	Hans Petter Selasky

Modified:
  head/sys/dev/usb/usb_hid.c
  head/sys/dev/usb/usb_hid.h

Modified: head/sys/dev/usb/usb_hid.c
==============================================================================
--- head/sys/dev/usb/usb_hid.c	Sun Mar  8 22:55:17 2009	(r189546)
+++ head/sys/dev/usb/usb_hid.c	Sun Mar  8 22:58:19 2009	(r189547)
@@ -57,19 +57,25 @@ __FBSDID("$FreeBSD$");
 #include <dev/usb/usb_hid.h>
 
 static void hid_clear_local(struct hid_item *);
+static uint8_t hid_get_byte(struct hid_data *s, const uint16_t wSize);
 
-#define	MAXUSAGE 100
+#define	MAXUSAGE 64
+#define	MAXPUSH 4
 struct hid_data {
 	const uint8_t *start;
 	const uint8_t *end;
 	const uint8_t *p;
-	struct hid_item cur;
-	int32_t	usages[MAXUSAGE];
-	int	nu;
-	int	minset;
-	int	multi;
-	int	multimax;
+	struct hid_item cur[MAXPUSH];
+	int32_t	usages_min[MAXUSAGE];
+	int32_t	usages_max[MAXUSAGE];
 	int	kindset;
+	uint8_t	pushlevel;	/* current pushlevel */
+	uint8_t	ncount;		/* end usage item count */
+	uint8_t icount;		/* current usage item count */
+	uint8_t	nusage;		/* end "usages_min/max" index */
+	uint8_t	iusage;		/* current "usages_min/max" index */
+	uint8_t ousage;		/* current "usages_min/max" offset */
+	uint8_t	susage;		/* usage set flags */
 };
 
 /*------------------------------------------------------------------------*
@@ -79,6 +85,8 @@ static void
 hid_clear_local(struct hid_item *c)
 {
 
+	c->loc.count = 0;
+	c->loc.size = 0;
 	c->usage = 0;
 	c->usage_minimum = 0;
 	c->usage_maximum = 0;
@@ -99,6 +107,12 @@ hid_start_parse(const void *d, int len, 
 {
 	struct hid_data *s;
 
+	if ((kindset-1) & kindset) {
+		DPRINTFN(0, "Only one bit can be "
+		    "set in the kindset\n");
+		return (NULL);
+	}
+
 	s = malloc(sizeof *s, M_TEMP, M_WAITOK | M_ZERO);
 	s->start = s->p = d;
 	s->end = ((const uint8_t *)d) + len;
@@ -112,60 +126,103 @@ hid_start_parse(const void *d, int len, 
 void
 hid_end_parse(struct hid_data *s)
 {
+	if (s == NULL)
+		return;
 
-	while (s->cur.next != NULL) {
-		struct hid_item *hi = s->cur.next->next;
-
-		free(s->cur.next, M_TEMP);
-		s->cur.next = hi;
-	}
 	free(s, M_TEMP);
 }
 
 /*------------------------------------------------------------------------*
+ *	get byte from HID descriptor
+ *------------------------------------------------------------------------*/
+static uint8_t
+hid_get_byte(struct hid_data *s, const uint16_t wSize)
+{
+	const uint8_t *ptr;
+	uint8_t retval;
+
+	ptr = s->p;
+
+	/* check if end is reached */
+	if (ptr == s->end)
+		return (0);
+
+	/* read out a byte */
+	retval = *ptr;
+
+	/* check if data pointer can be advanced by "wSize" bytes */
+	if ((s->end - ptr) < wSize)
+		ptr = s->end;
+	else
+		ptr += wSize;
+
+	/* update pointer */
+	s->p = ptr;
+
+	return (retval);
+}
+
+/*------------------------------------------------------------------------*
  *	hid_get_item
  *------------------------------------------------------------------------*/
 int
 hid_get_item(struct hid_data *s, struct hid_item *h)
 {
-	struct hid_item *c = &s->cur;
+	struct hid_item *c;
 	unsigned int bTag, bType, bSize;
 	uint32_t oldpos;
-	const uint8_t *data;
+	int32_t mask;
 	int32_t dval;
-	const uint8_t *p;
-	struct hid_item *hi;
-	int i;
 
-top:
-	if (s->multimax != 0) {
-		if (s->multi < s->multimax) {
-			c->usage = s->usages[MIN(s->multi, s->nu - 1)];
-			s->multi++;
+	if (s == NULL)
+		return (0);
+
+	c = &s->cur[s->pushlevel];
+
+ top:
+	/* check if there is an array of items */
+	if ((s->icount != s->ncount) &&
+	    (s->iusage != s->nusage)) {
+		dval = s->usages_min[s->iusage] + s->ousage;
+		c->usage = dval;
+		if (dval == s->usages_max[s->iusage]) {
+			s->iusage ++;
+			s->ousage = 0;
+		} else {
+			s->ousage ++;
+		}
+		s->icount ++;
+		/* 
+		 * Only copy HID item, increment position and return
+		 * if correct kindset!
+		 */
+		if (s->kindset & (1 << c->kind)) {
 			*h = *c;
-			c->loc.pos += c->loc.size;
-			h->next = 0;
+			DPRINTFN(1, "%u,%u,%u\n", h->loc.pos,
+			    h->loc.size, h->loc.count);
+			c->loc.pos += c->loc.size * c->loc.count;
 			return (1);
-		} else {
-			c->loc.count = s->multimax;
-			s->multimax = 0;
-			s->nu = 0;
-			hid_clear_local(c);
 		}
 	}
-	for (;;) {
-		p = s->p;
-		if ((p >= s->end) || (p < s->start))
-			return (0);
 
-		bSize = *p++;
+	/* reset state variables */
+	s->icount = 0;
+	s->ncount = 0;
+	s->iusage = 0;
+	s->nusage = 0;
+	s->susage = 0;
+	s->ousage = 0;
+	hid_clear_local(c);
+
+	/* get next item */
+	while (s->p != s->end) {
+
+		bSize = hid_get_byte(s, 1);
 		if (bSize == 0xfe) {
 			/* long item */
-			bSize = *p++;
-			bSize |= *p++ << 8;
-			bTag = *p++;
-			data = p;
-			p += bSize;
+			bSize = hid_get_byte(s, 1);
+			bSize |= hid_get_byte(s, 1) << 8;
+			bTag = hid_get_byte(s, 1);
 			bType = 0xff;	/* XXX what should it be */
 		} else {
 			/* short item */
@@ -174,30 +231,33 @@ top:
 			bSize &= 3;
 			if (bSize == 3)
 				bSize = 4;
-			data = p;
-			p += bSize;
 		}
-		s->p = p;
 		switch (bSize) {
 		case 0:
 			dval = 0;
+			mask = 0;
 			break;
 		case 1:
-			dval = (int8_t)*data++;
+			dval = (int8_t)hid_get_byte(s, 1);
+			mask = 0xFF;
 			break;
 		case 2:
-			dval = *data++;
-			dval |= *data++ << 8;
+			dval = hid_get_byte(s, 1);
+			dval |= hid_get_byte(s, 1) << 8;
 			dval = (int16_t)dval;
+			mask = 0xFFFF;
 			break;
 		case 4:
-			dval = *data++;
-			dval |= *data++ << 8;
-			dval |= *data++ << 16;
-			dval |= *data++ << 24;
+			dval = hid_get_byte(s, 1);
+			dval |= hid_get_byte(s, 1) << 8;
+			dval |= hid_get_byte(s, 1) << 16;
+			dval |= hid_get_byte(s, 1) << 24;
+			mask = 0xFFFFFFFF;
 			break;
 		default:
-			printf("BAD LENGTH %d\n", bSize);
+			dval = hid_get_byte(s, bSize);
+			DPRINTFN(0, "bad length %u (data=0x%02x)\n",
+			    bSize, dval);
 			continue;
 		}
 
@@ -205,44 +265,35 @@ top:
 		case 0:		/* Main */
 			switch (bTag) {
 			case 8:	/* Input */
-				if (!(s->kindset & (1 << hid_input))) {
-					if (s->nu > 0)
-						s->nu--;
-					continue;
-				}
 				c->kind = hid_input;
 				c->flags = dval;
 		ret:
 				if (c->flags & HIO_VARIABLE) {
-					s->multimax = c->loc.count;
-					s->multi = 0;
+					/* range check usage count */
+					if (c->loc.count > 255) {
+						DPRINTFN(0, "Number of "
+						    "items truncated to 255\n");
+						s->ncount = 255;
+					} else
+						s->ncount = c->loc.count;
+
+					/* 
+					 * The "top" loop will return
+					 * one and one item:
+					 */
 					c->loc.count = 1;
-					if (s->minset) {
-						for (i = c->usage_minimum;
-						    i <= c->usage_maximum;
-						    i++) {
-							s->usages[s->nu] = i;
-							if (s->nu < MAXUSAGE - 1)
-								s->nu++;
-						}
-						s->minset = 0;
-					}
-					goto top;
 				} else {
-					*h = *c;
-					h->next = 0;
-					c->loc.pos +=
-					    c->loc.size * c->loc.count;
-					hid_clear_local(c);
-					s->minset = 0;
-					return (1);
+					/* make sure we have a usage */
+					if (s->nusage == 0) {
+						s->usages_min[s->nusage] = 0;
+						s->usages_max[s->nusage] = 0;
+						s->nusage = 1;
+					}
+					s->ncount = 1;
 				}
+				goto top;
+
 			case 9:	/* Output */
-				if (!(s->kindset & (1 << hid_output))) {
-					if (s->nu > 0)
-						s->nu--;
-					continue;
-				}
 				c->kind = hid_output;
 				c->flags = dval;
 				goto ret;
@@ -251,27 +302,22 @@ top:
 				c->collection = dval;
 				c->collevel++;
 				*h = *c;
-				hid_clear_local(c);
-				s->nu = 0;
 				return (1);
 			case 11:	/* Feature */
-				if (!(s->kindset & (1 << hid_feature))) {
-					if (s->nu > 0)
-						s->nu--;
-					continue;
-				}
 				c->kind = hid_feature;
 				c->flags = dval;
 				goto ret;
 			case 12:	/* End collection */
 				c->kind = hid_endcollection;
+				if (c->collevel == 0) {
+					DPRINTFN(0, "invalid end collection\n");
+					return (0);
+				}
 				c->collevel--;
 				*h = *c;
-				hid_clear_local(c);
-				s->nu = 0;
 				return (1);
 			default:
-				printf("Main bTag=%d\n", bTag);
+				DPRINTFN(0, "Main bTag=%d\n", bTag);
 				break;
 			}
 			break;
@@ -303,53 +349,88 @@ top:
 				break;
 			case 8:
 				c->report_ID = dval;
+				/* new report - reset position */
+				c->loc.pos = 0;
 				break;
 			case 9:
 				c->loc.count = dval;
 				break;
 			case 10:	/* Push */
-				hi = malloc(sizeof *hi, M_TEMP, M_WAITOK);
-				*hi = s->cur;
-				c->next = hi;
+				s->pushlevel ++;
+				if (s->pushlevel < MAXPUSH) {
+					s->cur[s->pushlevel] = *c;
+					c = &s->cur[s->pushlevel];
+				} else {
+					DPRINTFN(0, "Cannot push "
+					    "item @ %d!\n", s->pushlevel);
+				}
 				break;
 			case 11:	/* Pop */
-				hi = c->next;
-				oldpos = c->loc.pos;
-				s->cur = *hi;
-				c->loc.pos = oldpos;
-				free(hi, M_TEMP);
+				s->pushlevel --;
+				if (s->pushlevel < MAXPUSH) {
+					/* preserve position */
+					oldpos = c->loc.pos;
+					c = &s->cur[s->pushlevel];
+					c->loc.pos = oldpos;
+				} else {
+					DPRINTFN(0, "Cannot pop "
+					    "item @ %d!\n", s->pushlevel);
+				}
 				break;
 			default:
-				printf("Global bTag=%d\n", bTag);
+				DPRINTFN(0, "Global bTag=%d\n", bTag);
 				break;
 			}
 			break;
 		case 2:		/* Local */
 			switch (bTag) {
 			case 0:
-				if (bSize == 1)
-					dval = c->_usage_page | (dval & 0xff);
-				else if (bSize == 2)
-					dval = c->_usage_page | (dval & 0xffff);
-				c->usage = dval;
-				if (s->nu < MAXUSAGE)
-					s->usages[s->nu++] = dval;
-				/* else XXX */
+				if (bSize != 4)
+					dval = (dval & mask) | c->_usage_page;
+
+				if (s->nusage < MAXUSAGE) {
+					s->usages_min[s->nusage] = dval;
+					s->usages_max[s->nusage] = dval;
+					s->nusage ++;
+				} else {
+					DPRINTFN(0, "max usage reached!\n");
+				}
+
+				/* clear any pending usage sets */
+				s->susage = 0;
 				break;
 			case 1:
-				s->minset = 1;
-				if (bSize == 1)
-					dval = c->_usage_page | (dval & 0xff);
-				else if (bSize == 2)
-					dval = c->_usage_page | (dval & 0xffff);
+				s->susage |= 1;
+
+				if (bSize != 4)
+					dval = (dval & mask) | c->_usage_page;
 				c->usage_minimum = dval;
-				break;
+
+				goto check_set;
 			case 2:
-				if (bSize == 1)
-					dval = c->_usage_page | (dval & 0xff);
-				else if (bSize == 2)
-					dval = c->_usage_page | (dval & 0xffff);
+				s->susage |= 2;
+
+				if (bSize != 4)
+					dval = (dval & mask) | c->_usage_page;
 				c->usage_maximum = dval;
+
+			check_set:
+				if (s->susage != 3)
+					break;
+
+				/* sanity check */
+				if ((s->nusage < MAXUSAGE) &&
+				    (c->usage_minimum < c->usage_maximum)) {
+					/* add usage range */
+					s->usages_min[s->nusage] = 
+					    c->usage_minimum;
+					s->usages_max[s->nusage] = 
+					    c->usage_maximum;
+					s->nusage ++;
+				} else {
+					DPRINTFN(0, "Usage set dropped!\n");
+				}
+				s->susage = 0;
 				break;
 			case 3:
 				c->designator_index = dval;
@@ -373,15 +454,16 @@ top:
 				c->set_delimiter = dval;
 				break;
 			default:
-				printf("Local bTag=%d\n", bTag);
+				DPRINTFN(0, "Local bTag=%d\n", bTag);
 				break;
 			}
 			break;
 		default:
-			printf("default bType=%d\n", bType);
+			DPRINTFN(0, "default bType=%d\n", bType);
 			break;
 		}
 	}
+	return (0);
 }
 
 /*------------------------------------------------------------------------*

Modified: head/sys/dev/usb/usb_hid.h
==============================================================================
--- head/sys/dev/usb/usb_hid.h	Sun Mar  8 22:55:17 2009	(r189546)
+++ head/sys/dev/usb/usb_hid.h	Sun Mar  8 22:58:19 2009	(r189547)
@@ -70,8 +70,6 @@ struct hid_item {
 	uint32_t flags;
 	/* Location */
 	struct hid_location loc;
-	/* */
-	struct hid_item *next;
 };
 
 /* prototypes from "usb2_hid.c" */



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903082258.n28MwJJq001730>