Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753147AbdFLR2D (ORCPT <rfc822;w@1wt.eu>);
        Mon, 12 Jun 2017 13:28:03 -0400
Received: from mail-wr0-f194.google.com ([209.85.128.194]:36182 "EHLO
        mail-wr0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753366AbdFLR1M (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Jun 2017 13:27:12 -0400
From: Tal Shorer <tal.shorer@gmail.com>
To: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-usb@vger.kernel.org, gregkh@linuxfoundation.org,
        balbi@kernel.org, corbet@lwn.net
Cc: Tal Shorer <tal.shorer@gmail.com>
Subject: [PATCH 3/8] usb: gadget: f_acm: validate set_line_coding requests
Date: Mon, 12 Jun 2017 20:26:10 +0300
Message-Id: <1497288375-3559-4-git-send-email-tal.shorer@gmail.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1497288375-3559-1-git-send-email-tal.shorer@gmail.com>
References: <1497288375-3559-1-git-send-email-tal.shorer@gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1727
Lines: 46

We shouldn't accept malformed set_line_coding requests.
All values were taken from table 17 (section 6.3.11) of the cdc1.2 spec
available at http://www.usb.org/developers/docs/devclass_docs/
The table is in the file PTSN120.pdf.

Signed-off-by: Tal Shorer <tal.shorer@gmail.com>
---
 drivers/usb/gadget/function/f_acm.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/gadget/function/f_acm.c b/drivers/usb/gadget/function/f_acm.c
index 5e3828d..e023313 100644
--- a/drivers/usb/gadget/function/f_acm.c
+++ b/drivers/usb/gadget/function/f_acm.c
@@ -326,13 +326,22 @@ static void acm_complete_set_line_coding(struct usb_ep *ep,
 		struct usb_cdc_line_coding	*value = req->buf;
 
 		/* REVISIT:  we currently just remember this data.
-		 * If we change that, (a) validate it first, then
-		 * (b) update whatever hardware needs updating,
-		 * (c) worry about locking.  This is information on
-		 * the order of 9600-8-N-1 ... most of which means
-		 * nothing unless we control a real RS232 line.
-		 */
-		acm->port_line_coding = *value;
+		* If we change that,
+		* (a) update whatever hardware needs updating,
+		* (b) worry about locking.  This is information on
+		* the order of 9600-8-N-1 ... most of which means
+		* nothing unless we control a real RS232 line.
+		*/
+		dev_dbg(&cdev->gadget->dev,
+			"acm ttyGS%d set_line_coding: %d %d %d %d\n",
+			acm->port_num, le32_to_cpu(value->dwDTERate),
+			value->bCharFormat, value->bParityType,
+			value->bDataBits);
+		if (value->bCharFormat > 2 || value->bParityType > 4 ||
+				value->bDataBits < 5 || value->bDataBits > 8)
+			usb_ep_set_halt(ep);
+		else
+			acm->port_line_coding = *value;
 	}
 }
 
-- 
2.7.4