[haiku-commits] haiku: hrev43620 - src/add-ons/kernel/drivers/input/usb_hid

  • From: mmlr@xxxxxxxx
  • To: haiku-commits@xxxxxxxxxxxxx
  • Date: Thu, 5 Jan 2012 00:34:06 +0100 (CET)

hrev43620 adds 1 changeset to branch 'master'
old head: 90b92dab5c83442b688ec80b7c63497ffce9da02
new head: f13be4928b1e32127ce71325fbf50f0e943c0566

----------------------------------------------------------------------------

f13be49: Pad the transfer buffer to prevent out of bounds access.
  
  The HIDReportItem reads 32 bit chunks from the report buffer. To avoid
  having to check the remaining buffer space on each extraction, we pad
  the buffer so it is always valid to read 32 bits at a time. Also add
  a comment explaining why we do it that way.
  
  Thanks to Johannes Anderwald for pointing out the potential out of
  bound access!

                                            [ Michael Lotz <mmlr@xxxxxxxx> ]

----------------------------------------------------------------------------

Revision:    hrev43620
Commit:      f13be4928b1e32127ce71325fbf50f0e943c0566
URL:         http://cgit.haiku-os.org/haiku/commit/?id=f13be49
Author:      Michael Lotz <mmlr@xxxxxxxx>
Date:        Wed Jan  4 22:33:07 2012 UTC

----------------------------------------------------------------------------

1 files changed, 5 insertions(+), 1 deletions(-)
.../kernel/drivers/input/usb_hid/HIDDevice.cpp     |    6 +++++-

----------------------------------------------------------------------------

diff --git a/src/add-ons/kernel/drivers/input/usb_hid/HIDDevice.cpp 
b/src/add-ons/kernel/drivers/input/usb_hid/HIDDevice.cpp
index 8028d4d..aeacd6e 100644
--- a/src/add-ons/kernel/drivers/input/usb_hid/HIDDevice.cpp
+++ b/src/add-ons/kernel/drivers/input/usb_hid/HIDDevice.cpp
@@ -186,7 +186,11 @@ HIDDevice::HIDDevice(usb_device device, const 
usb_configuration_info *config,
                return;
        }
 
-       fTransferBuffer = (uint8 *)malloc(fTransferBufferSize);
+       // We pad the allocation size so that we can always read 32 bits at a 
time
+       // (as done in HIDReportItem) without the need for an additional 
boundary
+       // check. We don't increase the transfer buffer size though as to not 
expose
+       // this implementation detail onto the device when scheduling transfers.
+       fTransferBuffer = (uint8 *)malloc(fTransferBufferSize + 3);
        if (fTransferBuffer == NULL) {
                TRACE_ALWAYS("failed to allocate transfer buffer\n");
                fStatus = B_NO_MEMORY;


Other related posts:

  • » [haiku-commits] haiku: hrev43620 - src/add-ons/kernel/drivers/input/usb_hid - mmlr