Skip to content

Commit 66b3838

Browse files
zxystdzxystd
committed
Limit interrupt/bulk read size.
1 parent b66baff commit 66b3838

File tree

8 files changed

+35
-29
lines changed

8 files changed

+35
-29
lines changed

‎IntelBluetoothFirmware/BtIntel.cpp‎

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -50,31 +50,31 @@ free()
5050
}
5151

5252
bool BtIntel::
53-
intelSendHCISync(HciCommandHdr *cmd, void *event, uint32_t *size, int timeout)
53+
intelSendHCISync(HciCommandHdr *cmd, void *event, uint32_t eventBufSize, uint32_t *size, int timeout)
5454
{
5555
// XYLog("%s cmd: 0x%02x len: %d\n", __PRETTY_FUNCTION__, cmd->opcode, cmd->len);
5656
IOReturn ret;
5757
if ((ret = m_pUSBDeviceController->sendHCIRequest(cmd, timeout)) != kIOReturnSuccess) {
5858
XYLog("%s sendHCIRequest failed: %s %d", __FUNCTION__, m_pUSBDeviceController->stringFromReturn(ret), ret);
5959
return false;
6060
}
61-
if ((ret = m_pUSBDeviceController->interruptPipeRead(event, size, timeout)) != kIOReturnSuccess) {
61+
if ((ret = m_pUSBDeviceController->interruptPipeRead(event, eventBufSize, size, timeout)) != kIOReturnSuccess) {
6262
XYLog("%s interruptPipeRead failed: %s %d", __FUNCTION__, m_pUSBDeviceController->stringFromReturn(ret), ret);
6363
return false;
6464
}
6565
return true;
6666
}
6767

6868
bool BtIntel::
69-
intelBulkHCISync(HciCommandHdr *cmd, void *event, uint32_t *size, int timeout)
69+
intelBulkHCISync(HciCommandHdr *cmd, void *event, uint32_t eventBufSize, uint32_t *size, int timeout)
7070
{
7171
// XYLog("%s cmd: 0x%02x len: %d\n", __FUNCTION__, cmd->opcode, cmd->len);
7272
IOReturn ret;
7373
if ((ret = m_pUSBDeviceController->bulkWrite(cmd, HCI_COMMAND_HDR_SIZE + cmd->len, timeout)) != kIOReturnSuccess) {
7474
XYLog("%s bulkWrite failed: %s %d", __FUNCTION__, m_pUSBDeviceController->stringFromReturn(ret), ret);
7575
return false;
7676
}
77-
if ((ret = m_pUSBDeviceController->bulkPipeRead(event, size, timeout)) != kIOReturnSuccess) {
77+
if ((ret = m_pUSBDeviceController->bulkPipeRead(event, eventBufSize, size, timeout)) != kIOReturnSuccess) {
7878
XYLog("%s bulkPipeRead failed: %s %d", __FUNCTION__, m_pUSBDeviceController->stringFromReturn(ret), ret);
7979
return false;
8080
}
@@ -97,7 +97,7 @@ securedSend(uint8_t fragmentType, uint32_t len, const uint8_t *fragment)
9797
hciCommand->data[0] = fragmentType;
9898
memcpy(hciCommand->data + 1, fragment, fragment_len);
9999

100-
if (!(ret = intelBulkHCISync(hciCommand, NULL, NULL, HCI_INIT_TIMEOUT))) {
100+
if (!(ret = intelBulkHCISync(hciCommand, NULL, 0, NULL, HCI_INIT_TIMEOUT))) {
101101
XYLog("secure send failed\n");
102102
return ret;
103103
}
@@ -183,7 +183,7 @@ intelBoot(uint32_t bootAddr)
183183
* 1 second. However if that happens, then just fail the setup
184184
* since something went wrong.
185185
*/
186-
IOReturn ret = m_pUSBDeviceController->interruptPipeRead(buf, &actLen, 1000);
186+
IOReturn ret = m_pUSBDeviceController->interruptPipeRead(buf, sizeof(buf), &actLen, 1000);
187187
if (ret != kIOReturnSuccess || actLen <= 0) {
188188
XYLog("Intel boot failed\n");
189189
if (ret == kIOReturnTimeout) {
@@ -226,7 +226,7 @@ loadDDCConfig(const char *ddcFileName)
226226
cmd->opcode = OSSwapHostToLittleInt16(0xfc8b);
227227
cmd->len = cmd_plen;
228228
memcpy(cmd->data, fw_ptr, cmd->len);
229-
if (!intelSendHCISync(cmd, NULL, NULL, HCI_INIT_TIMEOUT)) {
229+
if (!intelSendHCISync(cmd, NULL, 0, NULL, HCI_INIT_TIMEOUT)) {
230230
XYLog("Failed to send Intel_Write_DDC\n");
231231
return false;
232232
}

‎IntelBluetoothFirmware/BtIntel.h‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -190,9 +190,9 @@ class BtIntel : public OSObject {
190190

191191
protected:
192192

193-
bool intelSendHCISync(HciCommandHdr *cmd, void *event, uint32_t *size, int timeout);
193+
bool intelSendHCISync(HciCommandHdr *cmd, void *event, uint32_t eventBufSize, uint32_t *size, int timeout);
194194

195-
bool intelBulkHCISync(HciCommandHdr *cmd, void *event, uint32_t *size, int timeout);
195+
bool intelBulkHCISync(HciCommandHdr *cmd, void *event, uint32_t eventBufSize, uint32_t *size, int timeout);
196196

197197
protected:
198198
USBDeviceController *m_pUSBDeviceController;

‎IntelBluetoothFirmware/BtIntelVSC.cpp‎

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ enterMfg()
2121
cmd->data[0] = 0x01;
2222
cmd->data[1] = 0x00;
2323

24-
return intelSendHCISync(cmd, NULL, NULL, HCI_CMD_TIMEOUT);
24+
return intelSendHCISync(cmd, NULL, 0, NULL, HCI_CMD_TIMEOUT);
2525
}
2626

2727
bool BtIntel::
@@ -44,7 +44,7 @@ exitMfg(bool reset, bool patched)
4444
if (reset)
4545
cmd->data[1] |= patched ? 0x02 : 0x01;
4646

47-
return intelSendHCISync(cmd, NULL, NULL, HCI_CMD_TIMEOUT);
47+
return intelSendHCISync(cmd, NULL, 0, NULL, HCI_CMD_TIMEOUT);
4848
}
4949

5050
bool BtIntel::
@@ -61,7 +61,7 @@ setEventMask(bool debug)
6161
cmd->len = 8;
6262
memcpy(cmd->data, mask, 8);
6363

64-
return intelSendHCISync(cmd, NULL, NULL, HCI_INIT_TIMEOUT);
64+
return intelSendHCISync(cmd, NULL, 0, NULL, HCI_INIT_TIMEOUT);
6565
}
6666

6767
bool BtIntel::
@@ -93,7 +93,7 @@ readVersion(IntelVersion *version)
9393
HciResponse *resp = (HciResponse *)buf;
9494

9595
memset(buf, 0, sizeof(buf));
96-
if (!intelSendHCISync(&cmd, resp, &actLen, HCI_CMD_TIMEOUT)) {
96+
if (!intelSendHCISync(&cmd, resp, sizeof(buf), &actLen, HCI_CMD_TIMEOUT)) {
9797
XYLog("Reading Intel version information failed\n");
9898
return false;
9999
}
@@ -137,7 +137,7 @@ readBootParams(IntelBootParams *params)
137137
HciResponse *resp = (HciResponse *)buf;
138138

139139
memset(buf, 0, sizeof(buf));
140-
if (!intelSendHCISync(&cmd, resp, &actLen, HCI_INIT_TIMEOUT)) {
140+
if (!intelSendHCISync(&cmd, resp, sizeof(buf), &actLen, HCI_INIT_TIMEOUT)) {
141141
XYLog("Reading Intel boot parameters failed\n");
142142
return false;
143143
}
@@ -236,7 +236,7 @@ readDebugFeatures(IntelDebugFeatures *features)
236236
cmd->len = sizeof(page_no);
237237
cmd->data[0] = page_no;
238238

239-
if (!intelSendHCISync(cmd, resp, &actLen, HCI_INIT_TIMEOUT)) {
239+
if (!intelSendHCISync(cmd, resp, sizeof(temp), &actLen, HCI_INIT_TIMEOUT)) {
240240
XYLog("Reading supported features failed\n");
241241
return false;
242242
}
@@ -275,7 +275,7 @@ setDebugFeatures(IntelDebugFeatures *features)
275275
cmd->len = 11;
276276
memcpy(cmd->data, mask, 11);
277277

278-
if (!intelSendHCISync(cmd, NULL, NULL, HCI_INIT_TIMEOUT)) {
278+
if (!intelSendHCISync(cmd, NULL, 0, NULL, HCI_INIT_TIMEOUT)) {
279279
XYLog("Setting Intel telemetry ddc write event mask failed\n");
280280
return false;
281281
}

‎IntelBluetoothFirmware/IntelBluetoothOpsGen1.cpp‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -192,7 +192,7 @@ hciReset()
192192
.len = 0,
193193
};
194194

195-
return intelSendHCISync(&cmd, NULL, NULL, HCI_INIT_TIMEOUT);
195+
return intelSendHCISync(&cmd, NULL, 0, NULL, HCI_INIT_TIMEOUT);
196196
}
197197

198198
OSData *IntelBluetoothOpsGen1::
@@ -311,7 +311,7 @@ patching(OSData *fwData, const uint8_t **fw_ptr, bool *disablePatch)
311311
hciCmd->len = cmd->len;
312312
memcpy(hciCmd->data, cmdParam, hciCmd->len);
313313

314-
if (!intelSendHCISync(hciCmd, resp, &actRespLen, HCI_INIT_TIMEOUT)) {
314+
if (!intelSendHCISync(hciCmd, resp, sizeof(respBuf), &actRespLen, HCI_INIT_TIMEOUT)) {
315315
XYLog("sending Intel patch command (0x%4.4x) failed\n", hciCmd->opcode);
316316
return false;
317317
}

‎IntelBluetoothFirmware/IntelBluetoothOpsGen2.cpp‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -236,7 +236,7 @@ downloadFirmware(IntelVersion *ver, IntelBootParams *params, uint32_t *bootParam
236236
* of this device.
237237
*/
238238
memset(buf, 0, sizeof(buf));
239-
ior = m_pUSBDeviceController->interruptPipeRead(resp, &actSize, 5000);
239+
ior = m_pUSBDeviceController->interruptPipeRead(resp, sizeof(buf), &actSize, 5000);
240240
if (ior != kIOReturnSuccess) {
241241
XYLog("waiting for firmware download done timeout\n");
242242
resetToBootloader();

‎IntelBluetoothFirmware/IntelBluetoothOpsGen3.cpp‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -180,7 +180,7 @@ downloadFirmware(IntelVersionTLV *ver, uint32_t *bootParams)
180180
* of this device.
181181
*/
182182
memset(buf, 0, sizeof(buf));
183-
ior = m_pUSBDeviceController->interruptPipeRead(resp, &actSize, 5000);
183+
ior = m_pUSBDeviceController->interruptPipeRead(resp, sizeof(buf), &actSize, 5000);
184184
if (ior != kIOReturnSuccess) {
185185
XYLog("waiting for firmware download done timeout\n");
186186
resetToBootloader();
@@ -358,7 +358,7 @@ readVersionTLV(IntelVersionTLV *version)
358358
cmd->data[0] = 0xFF;
359359

360360
memset(respBuf, 0, sizeof(respBuf));
361-
if (!intelSendHCISync(cmd, resp, &actLen, HCI_CMD_TIMEOUT)) {
361+
if (!intelSendHCISync(cmd, resp, sizeof(respBuf), &actLen, HCI_CMD_TIMEOUT)) {
362362
XYLog("Reading Intel version information failed\n");
363363
return false;
364364
}

‎IntelBluetoothFirmware/USBDeviceController.cpp‎

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -183,7 +183,7 @@ findPipes()
183183
}
184184

185185
IOReturn USBDeviceController::
186-
bulkPipeRead(void *buf, uint32_t *size, uint32_t timeout)
186+
bulkPipeRead(void *buf, uint32_t buf_size, uint32_t *size, uint32_t timeout)
187187
{
188188
uint32_t actualLength = 0;
189189
IOReturn ret = m_pBulkReadPipe->io(mReadBuffer, (uint32_t)mReadBuffer->getLength(), actualLength, timeout);
@@ -192,11 +192,14 @@ bulkPipeRead(void *buf, uint32_t *size, uint32_t timeout)
192192
ret = m_pBulkReadPipe->io(mReadBuffer, (uint32_t)mReadBuffer->getLength(), actualLength, timeout);
193193
}
194194
if (ret == kIOReturnSuccess) {
195+
if (buf && actualLength > buf_size) {
196+
XYLog("%s buf size too small. buflen: %d act: %d\n", __FUNCTION__, buf_size, actualLength);
197+
}
195198
if (buf) {
196-
memcpy(buf, mReadBuffer->getBytesNoCopy(), actualLength);
199+
memcpy(buf, mReadBuffer->getBytesNoCopy(), min(actualLength, buf_size));
197200
}
198201
if (size) {
199-
*size = actualLength;
202+
*size = min(actualLength, buf_size);
200203
}
201204
} else {
202205
XYLog("%s failed: %s %d\n", __FUNCTION__, stringFromReturn(ret), ret);
@@ -228,7 +231,7 @@ interruptHandler(void *owner, void *parameter, IOReturn status, uint32_t bytesTr
228231
}
229232

230233
IOReturn USBDeviceController::
231-
interruptPipeRead(void *buf, uint32_t *size, uint32_t timeout)
234+
interruptPipeRead(void *buf, uint32_t buf_size, uint32_t *size, uint32_t timeout)
232235
{
233236
AbsoluteTime deadline;
234237
IOUSBHostCompletion comple;
@@ -259,11 +262,14 @@ interruptPipeRead(void *buf, uint32_t *size, uint32_t timeout)
259262
XYLog("%s invalid response size: %d\n", __FUNCTION__, interrupResp.dataLen);
260263
return kIOReturnError;
261264
}
265+
if (buf && interrupResp.dataLen > buf_size) {
266+
XYLog("%s buf size too small. buflen: %d act: %d\n", __FUNCTION__, buf_size, interrupResp.dataLen);
267+
}
262268
if (buf) {
263-
memcpy(buf, mReadBuffer->getBytesNoCopy(), interrupResp.dataLen);
269+
memcpy(buf, mReadBuffer->getBytesNoCopy(), min(interrupResp.dataLen, buf_size));
264270
}
265271
if (size) {
266-
*size = interrupResp.dataLen;
272+
*size = min(interrupResp.dataLen, buf_size);
267273
}
268274
IOLockUnlock(_hciLock);
269275
} else {

‎IntelBluetoothFirmware/USBDeviceController.hpp‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,9 +39,9 @@ class USBDeviceController : public OSObject {
3939

4040
virtual bool findPipes();
4141

42-
IOReturn bulkPipeRead(void *buf, uint32_t *size, uint32_t timeout);
42+
IOReturn bulkPipeRead(void *buf, uint32_t buf_size, uint32_t *size, uint32_t timeout);
4343

44-
IOReturn interruptPipeRead(void *buf, uint32_t *size, uint32_t timeout);
44+
IOReturn interruptPipeRead(void *buf, uint32_t buf_size, uint32_t *size, uint32_t timeout);
4545

4646
IOReturn sendHCIRequest(HciCommandHdr *cmd, uint32_t timeout);
4747

0 commit comments

Comments
 (0)