From 735ba17cadd75420bb24a758c3c3e89c9fad4654 Mon Sep 17 00:00:00 2001 From: Johann Fischer Date: Fri, 19 Feb 2021 01:03:55 +0100 Subject: [PATCH] drivers: usb_dc_native_posix: read setup packet as part of submit struct USB setup packet is a part of USBIP_CMD_SUBMIT, but missing in struct usbip_submit. This patch fixes it and removes usbip_skip_setup() and adds an additional integrity check in handle_usb_control(). Signed-off-by: Johann Fischer --- drivers/usb/device/usb_dc_native_posix.c | 14 ++++++++------ .../usb/device/usb_dc_native_posix_adapt.c | 19 ------------------- .../usb/device/usb_dc_native_posix_adapt.h | 6 +++++- 3 files changed, 13 insertions(+), 26 deletions(-) diff --git a/drivers/usb/device/usb_dc_native_posix.c b/drivers/usb/device/usb_dc_native_posix.c index 3517d0e5c47..c5f7e38e308 100644 --- a/drivers/usb/device/usb_dc_native_posix.c +++ b/drivers/usb/device/usb_dc_native_posix.c @@ -512,9 +512,16 @@ int handle_usb_control(struct usbip_header *hdr) return -EIO; } + if ((ntohl(hdr->common.direction) == USBIP_DIR_IN) ^ + (REQTYPE_GET_DIR(hdr->u.submit.bmRequestType) == + REQTYPE_DIR_TO_HOST)) { + LOG_ERR("Failed to verify bmRequestType"); + return -EIO; + } + ep_ctrl->data_len = 8; LOG_DBG("SETUP event ep 0x%02x %u", ep_idx, ep_ctrl->data_len); - usbip_recv(ep_ctrl->buf, ep_ctrl->data_len); + memcpy(ep_ctrl->buf, &hdr->u.submit.bmRequestType, ep_ctrl->data_len); ep_ctrl->cb(ep_idx, USB_DC_EP_SETUP); if (ntohl(hdr->common.direction) == USBIP_DIR_OUT) { @@ -561,11 +568,6 @@ int handle_usb_data(struct usbip_header *hdr) ep = ep_idx | USB_EP_DIR_IN; LOG_DBG("DATA IN event ep 0x%02x %u", ep, ep_ctrl->buf_len); - /* Read USB setup, not handled */ - if (!usbip_skip_setup()) { - return -EIO; - } - /* Send queued data */ if (!usbip_send_common(ep, ep_ctrl->buf_len)) { return -EIO; diff --git a/drivers/usb/device/usb_dc_native_posix_adapt.c b/drivers/usb/device/usb_dc_native_posix_adapt.c index 197ea15cbd3..8fcae47ef4e 100644 --- a/drivers/usb/device/usb_dc_native_posix_adapt.c +++ b/drivers/usb/device/usb_dc_native_posix_adapt.c @@ -209,19 +209,6 @@ static void handle_usbip_submit(int connfd, struct usbip_header *hdr) } } -bool usbip_skip_setup(void) -{ - uint64_t setup; - - LOG_DBG("Skip 8 bytes"); - - if (usbip_recv((void *)&setup, sizeof(setup)) != sizeof(setup)) { - return false; - } - - return true; -} - static void handle_usbip_unlink(int connfd, struct usbip_header *hdr) { int read; @@ -235,12 +222,6 @@ static void handle_usbip_unlink(int connfd, struct usbip_header *hdr) return; } - /* Read USB setup, not handled */ - if (!usbip_skip_setup()) { - LOG_ERR("setup skipping failed"); - return; - } - usbip_header_dump((void *)hdr); /* TODO: unlink */ diff --git a/drivers/usb/device/usb_dc_native_posix_adapt.h b/drivers/usb/device/usb_dc_native_posix_adapt.h index d99c47db57f..a7ec89bfe2e 100644 --- a/drivers/usb/device/usb_dc_native_posix_adapt.h +++ b/drivers/usb/device/usb_dc_native_posix_adapt.h @@ -67,6 +67,11 @@ struct usbip_submit { int32_t start_frame; int32_t number_of_packets; int32_t interval; + uint8_t bmRequestType; + uint8_t bRequest; + uint16_t wValue; + uint16_t wIndex; + uint16_t wLength; } __packed; struct usbip_unlink { @@ -104,4 +109,3 @@ void usbip_start(void); int handle_usb_control(struct usbip_header *hdr); int handle_usb_data(struct usbip_header *hdr); -bool usbip_skip_setup(void);