diff options
author | Stefan Brüns <stefan.bruens@rwth-aachen.de> | 2016-01-17 04:09:51 +0100 |
---|---|---|
committer | Marek Vasut <marex@denx.de> | 2016-01-23 16:21:10 +0100 |
commit | 56a7bbd7412ae8dedca14877bb7aa45199de730c (patch) | |
tree | 995ae9799c9c46806ffca44a2020eda9de1774c1 /drivers/usb | |
parent | 12f229ea8f6c8e20f8fd07906eafc853c4c354a9 (diff) | |
download | u-boot-56a7bbd7412ae8dedca14877bb7aa45199de730c.tar.gz u-boot-56a7bbd7412ae8dedca14877bb7aa45199de730c.tar.xz u-boot-56a7bbd7412ae8dedca14877bb7aa45199de730c.zip |
usb: dwc2: Fix out-of-bounds access, fix chunk size
Fix two errors in transfer len calculation, move loop invariant code out
of loop.
If xfer_len is equal to CONFIG_DWC2_MAX_TRANSFER_SIZE (or slightly
smaller), the xfer_len will be to large, e.g.:
xfer_len = MAX_TRANSFER_SIZE = 65535
max packet size = 512
=> num_packets = 128
=> IN xfer_len = 65536
For OUT transactions larger than (65536 - mps) bytes, the xfer_len
determination is quite awkward, it is only correct due to:
- max_packet_size for control/bulk/interrupt is required to be
power-of-two.
- (CONFIG_DWC2_MAX_TRANSFER_SIZE + 1) % max-packet-size is zero
for all allowed (2^3 ... 2^9) packet sizes
As the max xfer len is loop invariant, it can be moved out of the loop.
Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Diffstat (limited to 'drivers/usb')
-rw-r--r-- | drivers/usb/host/dwc2.c | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/drivers/usb/host/dwc2.c b/drivers/usb/host/dwc2.c index 5ef6debd9a..d317104028 100644 --- a/drivers/usb/host/dwc2.c +++ b/drivers/usb/host/dwc2.c @@ -786,34 +786,34 @@ int chunk_msg(struct dwc2_priv *priv, struct usb_device *dev, uint32_t xfer_len; uint32_t num_packets; int stop_transfer = 0; + uint32_t max_xfer_len; debug("%s: msg: pipe %lx pid %d in %d len %d\n", __func__, pipe, *pid, in, len); + max_xfer_len = CONFIG_DWC2_MAX_PACKET_COUNT * max; + if (max_xfer_len > CONFIG_DWC2_MAX_TRANSFER_SIZE) + max_xfer_len = CONFIG_DWC2_MAX_TRANSFER_SIZE; + if (max_xfer_len > DWC2_DATA_BUF_SIZE) + max_xfer_len = DWC2_DATA_BUF_SIZE; + + /* Make sure that max_xfer_len is a multiple of max packet size. */ + num_packets = max_xfer_len / max; + max_xfer_len = num_packets * max; + do { /* Initialize channel */ dwc_otg_hc_init(regs, DWC2_HC_CHANNEL, dev, devnum, ep, in, eptype, max); xfer_len = len - done; - if (xfer_len > CONFIG_DWC2_MAX_TRANSFER_SIZE) - xfer_len = CONFIG_DWC2_MAX_TRANSFER_SIZE - max + 1; - if (xfer_len > DWC2_DATA_BUF_SIZE) - xfer_len = DWC2_DATA_BUF_SIZE - max + 1; - /* Make sure that xfer_len is a multiple of max packet size. */ - if (xfer_len > 0) { + if (xfer_len > max_xfer_len) + xfer_len = max_xfer_len; + else if (xfer_len > max) num_packets = (xfer_len + max - 1) / max; - if (num_packets > CONFIG_DWC2_MAX_PACKET_COUNT) { - num_packets = CONFIG_DWC2_MAX_PACKET_COUNT; - xfer_len = num_packets * max; - } - } else { + else num_packets = 1; - } - - if (in) - xfer_len = num_packets * max; debug("%s: chunk: pid %d xfer_len %u pkts %u\n", __func__, *pid, xfer_len, num_packets); |