hrev52557 adds 2 changesets to branch 'master'
old head: 59ecfa6cb620abe17a41ad72d746d8a35f671ad6
new head: 400ed5ca507ae709028cc8c1f9cc17059485a12c
overview:
https://git.haiku-os.org/haiku/log/?qt=range&q=400ed5ca507a+%5E59ecfa6cb620
----------------------------------------------------------------------------
2897df967633: bluetooth: ioctls always pass size on Haiku.
400ed5ca507a: h2generic: Copy the user buffer before using it.
[ Augustin Cavalier <waddlesplash@xxxxxxxxx> ]
----------------------------------------------------------------------------
3 files changed, 6 insertions(+), 30 deletions(-)
headers/os/bluetooth/HCI/btHCI.h | 7 -------
.../drivers/bluetooth/h2/h2generic/h2generic.cpp | 14 ++++++--------
src/kits/bluetooth/CommandManager.cpp | 15 ---------------
############################################################################
Commit: 2897df967633aab846ff4917b53e2af7d1e54eeb
URL: https://git.haiku-os.org/haiku/commit/?id=2897df967633
Author: Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date: Sun Nov 18 19:42:09 2018 UTC
bluetooth: ioctls always pass size on Haiku.
----------------------------------------------------------------------------
diff --git a/headers/os/bluetooth/HCI/btHCI.h b/headers/os/bluetooth/HCI/btHCI.h
index 031fe0871b..b1489dec7b 100644
--- a/headers/os/bluetooth/HCI/btHCI.h
+++ b/headers/os/bluetooth/HCI/btHCI.h
@@ -42,13 +42,6 @@ const char* BluetoothError(uint8 error);
#define HCI_FEATURES_SIZE 8 /* LMP features */
#define HCI_DEVICE_NAME_SIZE 248 /* unit name size */
-/* Device drivers need to take this into account
- * when receiving ioctls. Only applies to R5 builds
- * in deprecation process
- */
-#define BT_IOCTLS_PASS_SIZE
-
-
// HCI Packet types
#define HCI_2DH1 0x0002
#define HCI_3DH1 0x0004
diff --git a/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
b/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
index 16a2c225d8..f5d3e4b09a 100644
--- a/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
+++ b/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
@@ -618,16 +618,11 @@ device_control(void* cookie, uint32 msg, void* params,
size_t size)
switch (msg) {
case ISSUE_BT_COMMAND:
-#ifdef BT_IOCTLS_PASS_SIZE
if (size == 0) {
TRACE("%s: Invalid size control\n", __func__);
err = B_BAD_VALUE;
break;
}
-#else
- size = (*((size_t*)params));
- (*(size_t**)¶ms)++;
-#endif
// TODO: Reuse from some TXcompleted queue
// snbuf = snb_create(size);
diff --git a/src/kits/bluetooth/CommandManager.cpp
b/src/kits/bluetooth/CommandManager.cpp
index 931f4d18f6..513383e00f 100644
--- a/src/kits/bluetooth/CommandManager.cpp
+++ b/src/kits/bluetooth/CommandManager.cpp
@@ -16,22 +16,11 @@ inline void* buildCommand(uint8 ogf, uint8 ocf, void**
param, size_t psize,
CALLED();
struct hci_command_header* header;
-#ifdef BT_IOCTLS_PASS_SIZE
header = (struct hci_command_header*) malloc(psize
+ sizeof(struct hci_command_header));
*outsize = psize + sizeof(struct hci_command_header);
-#else
- size_t* size = (size_t*)malloc(psize + sizeof(struct hci_command_header)
- + sizeof(size_t));
- *outsize = psize + sizeof(struct hci_command_header) + sizeof(size_t);
-
- *size = psize + sizeof(struct hci_command_header);
- header = (struct hci_command_header*) (((uint8*)size)+4);
-#endif
-
if (header != NULL) {
-
header->opcode = B_HOST_TO_LENDIAN_INT16(PACK_OPCODE(ogf, ocf));
header->clen = psize;
@@ -39,11 +28,7 @@ inline void* buildCommand(uint8 ogf, uint8 ocf, void**
param, size_t psize,
*param = ((uint8*)header) + sizeof(struct
hci_command_header);
}
}
-#ifdef BT_IOCTLS_PASS_SIZE
return header;
-#else
- return (void*)size;
-#endif
}
############################################################################
Revision: hrev52557
Commit: 400ed5ca507ae709028cc8c1f9cc17059485a12c
URL: https://git.haiku-os.org/haiku/commit/?id=400ed5ca507a
Author: Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date: Sun Nov 18 19:50:53 2018 UTC
h2generic: Copy the user buffer before using it.
----------------------------------------------------------------------------
diff --git a/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
b/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
index f5d3e4b09a..13985d3024 100644
--- a/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
+++ b/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
@@ -591,7 +591,7 @@ device_free(void* cookie)
// implements the POSIX ioctl()
static status_t
-device_control(void* cookie, uint32 msg, void* params, size_t size)
+device_control(void* cookie, uint32 msg, void* _params, size_t size)
{
status_t err = B_ERROR;
bt_usb_dev* bdev = (bt_usb_dev*)cookie;
@@ -609,11 +609,15 @@ device_control(void* cookie, uint32 msg, void* params,
size_t size)
return B_BAD_VALUE;
}
- if (params == NULL) {
+ if (_params == NULL || !IS_USER_ADDRESS(_params)) {
TRACE("%s: Invalid pointer control\n", __func__);
return B_BAD_VALUE;
}
+ void* params = alloca(size);
+ if (user_memcpy(params, _params, size) != B_OK)
+ return B_BAD_ADDRESS;
+
acquire_sem(bdev->lock);
switch (msg) {
@@ -634,7 +638,6 @@ device_control(void* cookie, uint32 msg, void* params,
size_t size)
break;
case BT_UP:
-
// EVENTS
err = submit_rx_event(bdev);
if (err != B_OK) {