[haiku-commits] haiku: hrev52557 - src/add-ons/kernel/drivers/bluetooth/h2/h2generic src/kits/bluetooth headers/os/bluetooth/HCI

  • From: waddlesplash <waddlesplash@xxxxxxxxx>
  • To: haiku-commits@xxxxxxxxxxxxx
  • Date: Sun, 18 Nov 2018 14:56:56 -0500 (EST)

hrev52557 adds 2 changesets to branch 'master'
old head: 59ecfa6cb620abe17a41ad72d746d8a35f671ad6
new head: 400ed5ca507ae709028cc8c1f9cc17059485a12c
overview: 
https://git.haiku-os.org/haiku/log/?qt=range&q=400ed5ca507a+%5E59ecfa6cb620

----------------------------------------------------------------------------

2897df967633: bluetooth: ioctls always pass size on Haiku.

400ed5ca507a: h2generic: Copy the user buffer before using it.

                              [ Augustin Cavalier <waddlesplash@xxxxxxxxx> ]

----------------------------------------------------------------------------

3 files changed, 6 insertions(+), 30 deletions(-)
headers/os/bluetooth/HCI/btHCI.h                      |  7 -------
.../drivers/bluetooth/h2/h2generic/h2generic.cpp      | 14 ++++++--------
src/kits/bluetooth/CommandManager.cpp                 | 15 ---------------

############################################################################

Commit:      2897df967633aab846ff4917b53e2af7d1e54eeb
URL:         https://git.haiku-os.org/haiku/commit/?id=2897df967633
Author:      Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date:        Sun Nov 18 19:42:09 2018 UTC

bluetooth: ioctls always pass size on Haiku.

----------------------------------------------------------------------------

diff --git a/headers/os/bluetooth/HCI/btHCI.h b/headers/os/bluetooth/HCI/btHCI.h
index 031fe0871b..b1489dec7b 100644
--- a/headers/os/bluetooth/HCI/btHCI.h
+++ b/headers/os/bluetooth/HCI/btHCI.h
@@ -42,13 +42,6 @@ const char* BluetoothError(uint8 error);
 #define HCI_FEATURES_SIZE              8       /* LMP features */
 #define HCI_DEVICE_NAME_SIZE   248     /* unit name size */
 
-/* Device drivers need to take this into account
- * when receiving ioctls. Only applies to R5 builds
- * in deprecation process
- */
-#define BT_IOCTLS_PASS_SIZE
-
-
 // HCI Packet types
 #define HCI_2DH1        0x0002
 #define HCI_3DH1        0x0004
diff --git a/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp 
b/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
index 16a2c225d8..f5d3e4b09a 100644
--- a/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
+++ b/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
@@ -618,16 +618,11 @@ device_control(void* cookie, uint32 msg, void* params, 
size_t size)
 
        switch (msg) {
                case ISSUE_BT_COMMAND:
-#ifdef BT_IOCTLS_PASS_SIZE
                        if (size == 0) {
                                TRACE("%s: Invalid size control\n", __func__);
                                err = B_BAD_VALUE;
                                break;
                        }
-#else
-                       size = (*((size_t*)params));
-                       (*(size_t**)&params)++;
-#endif
 
                        // TODO: Reuse from some TXcompleted queue
                        // snbuf = snb_create(size);
diff --git a/src/kits/bluetooth/CommandManager.cpp 
b/src/kits/bluetooth/CommandManager.cpp
index 931f4d18f6..513383e00f 100644
--- a/src/kits/bluetooth/CommandManager.cpp
+++ b/src/kits/bluetooth/CommandManager.cpp
@@ -16,22 +16,11 @@ inline void* buildCommand(uint8 ogf, uint8 ocf, void** 
param, size_t psize,
        CALLED();
        struct hci_command_header* header;
 
-#ifdef BT_IOCTLS_PASS_SIZE
        header = (struct hci_command_header*) malloc(psize
                + sizeof(struct hci_command_header));
        *outsize = psize + sizeof(struct hci_command_header);
-#else
-       size_t* size = (size_t*)malloc(psize + sizeof(struct hci_command_header)
-               + sizeof(size_t));
-       *outsize = psize + sizeof(struct hci_command_header) + sizeof(size_t);
-
-       *size = psize + sizeof(struct hci_command_header);
-       header = (struct hci_command_header*) (((uint8*)size)+4);
-#endif
-
 
        if (header != NULL) {
-
                header->opcode = B_HOST_TO_LENDIAN_INT16(PACK_OPCODE(ogf, ocf));
                header->clen = psize;
 
@@ -39,11 +28,7 @@ inline void* buildCommand(uint8 ogf, uint8 ocf, void** 
param, size_t psize,
                        *param = ((uint8*)header) + sizeof(struct 
hci_command_header);
                }
        }
-#ifdef BT_IOCTLS_PASS_SIZE
        return header;
-#else
-       return (void*)size;
-#endif
 }
 
 

############################################################################

Revision:    hrev52557
Commit:      400ed5ca507ae709028cc8c1f9cc17059485a12c
URL:         https://git.haiku-os.org/haiku/commit/?id=400ed5ca507a
Author:      Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date:        Sun Nov 18 19:50:53 2018 UTC

h2generic: Copy the user buffer before using it.

----------------------------------------------------------------------------

diff --git a/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp 
b/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
index f5d3e4b09a..13985d3024 100644
--- a/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
+++ b/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
@@ -591,7 +591,7 @@ device_free(void* cookie)
 
 // implements the POSIX ioctl()
 static status_t
-device_control(void* cookie, uint32 msg, void* params, size_t size)
+device_control(void* cookie, uint32 msg, void* _params, size_t size)
 {
        status_t        err = B_ERROR;
        bt_usb_dev*     bdev = (bt_usb_dev*)cookie;
@@ -609,11 +609,15 @@ device_control(void* cookie, uint32 msg, void* params, 
size_t size)
                return B_BAD_VALUE;
        }
 
-       if (params == NULL) {
+       if (_params == NULL || !IS_USER_ADDRESS(_params)) {
                TRACE("%s: Invalid pointer control\n", __func__);
                return B_BAD_VALUE;
        }
 
+       void* params = alloca(size);
+       if (user_memcpy(params, _params, size) != B_OK)
+               return B_BAD_ADDRESS;
+
        acquire_sem(bdev->lock);
 
        switch (msg) {
@@ -634,7 +638,6 @@ device_control(void* cookie, uint32 msg, void* params, 
size_t size)
                break;
 
                case BT_UP:
-
                        //  EVENTS
                        err = submit_rx_event(bdev);
                        if (err != B_OK) {


Other related posts:

  • » [haiku-commits] haiku: hrev52557 - src/add-ons/kernel/drivers/bluetooth/h2/h2generic src/kits/bluetooth headers/os/bluetooth/HCI - waddlesplash