aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Brownell <david-b@pacbell.net>2008-03-04 18:11:07 -0500
committerGreg Kroah-Hartman <gregkh@suse.de>2008-04-25 00:16:41 -0400
commit25b70a8665e9854504b9196c3098dadd37c721aa (patch)
treecf477b2546d7e5f547ec8866a5eed7536d27fb69
parent70a1c9e086c2e267fbc4533cb870f34999b531d6 (diff)
USB: ehci: paranoia, reject large control transfers
Some EHCI fault paths with large control transfers aren't coded. Avoid problems by rejecting transfers that may need two qTDs (16+ KB). This is mostly paranoia; even 4 KB transfers are rare, and most HCDs use lower limits (so it's unlikely anyone would ever try such a thing). Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/usb/host/ehci-hcd.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
index 8c3e860bfce3..a02dcff5eb21 100644
--- a/drivers/usb/host/ehci-hcd.c
+++ b/drivers/usb/host/ehci-hcd.c
@@ -764,8 +764,14 @@ static int ehci_urb_enqueue (
764 INIT_LIST_HEAD (&qtd_list); 764 INIT_LIST_HEAD (&qtd_list);
765 765
766 switch (usb_pipetype (urb->pipe)) { 766 switch (usb_pipetype (urb->pipe)) {
767 // case PIPE_CONTROL: 767 case PIPE_CONTROL:
768 // case PIPE_BULK: 768 /* qh_completions() code doesn't handle all the fault cases
769 * in multi-TD control transfers. Even 1KB is rare anyway.
770 */
771 if (urb->transfer_buffer_length > (16 * 1024))
772 return -EMSGSIZE;
773 /* FALLTHROUGH */
774 /* case PIPE_BULK: */
769 default: 775 default:
770 if (!qh_urb_transaction (ehci, urb, &qtd_list, mem_flags)) 776 if (!qh_urb_transaction (ehci, urb, &qtd_list, mem_flags))
771 return -ENOMEM; 777 return -ENOMEM;