PERFORCE change 170304 for review

Sat Nov 7 01:02:40 UTC 2009

http://p4web.freebsd.org/chv.cgi?CH=170304

Change 170304 by hselasky at hselasky_laptop001 on 2009/11/07 01:02:23

	
	LibUSB:
	 - fix a memory leak on the USB backend
	 - fix invalid pointer computations (in one case memory outside 
	   the allocated area was written in LibUSB v1.0)
	 - make sure memory is always initialised, also in failing cases
	 - patch by: Robert Jenssen

Affected files ...

.. //depot/projects/usb/src/lib/libusb/libusb10.c#12 edit
.. //depot/projects/usb/src/lib/libusb/libusb10_desc.c#9 edit
.. //depot/projects/usb/src/lib/libusb/libusb20.c#8 edit
.. //depot/projects/usb/src/lib/libusb/libusb20_desc.c#4 edit
.. //depot/projects/usb/src/lib/libusb/libusb20_ugen20.c#10 edit

Differences ...

==== //depot/projects/usb/src/lib/libusb/libusb10.c#12 (text+ko) ====

@@ -416,6 +416,8 @@
 	libusb10_remove_pollfd(ctx, &dev->dev_poll);
 
 	libusb20_dev_close(pdev);
+
+	/* unref will free the "pdev" when the refcount reaches zero */
 	libusb_unref_device(dev);
 
 	/* make sure our event loop detects the closed device */

==== //depot/projects/usb/src/lib/libusb/libusb10_desc.c#9 (text+ko) ====

@@ -35,6 +35,8 @@
 #include "libusb.h"
 #include "libusb10.h"
 
+#define	N_ALIGN(n) (-((-(n)) & (-8UL)))
+
 /* USB descriptors */
 
 int
@@ -114,17 +116,17 @@
 
 	nalt = nif = pconf->num_interface;
 	nep = 0;
-	nextra = pconf->extra.len;
+	nextra = N_ALIGN(pconf->extra.len);
 
 	for (i = 0; i < nif; i++) {
 
 		pinf = pconf->interface + i;
-		nextra += pinf->extra.len;
+		nextra += N_ALIGN(pinf->extra.len);
 		nep += pinf->num_endpoints;
 		k = pinf->num_endpoints;
 		pend = pinf->endpoints;
 		while (k--) {
-			nextra += pend->extra.len;
+			nextra += N_ALIGN(pend->extra.len);
 			pend++;
 		}
 
@@ -132,12 +134,12 @@
 		nalt += pinf->num_altsetting;
 		pinf = pinf->altsetting;
 		while (j--) {
-			nextra += pinf->extra.len;
+			nextra += N_ALIGN(pinf->extra.len);
 			nep += pinf->num_endpoints;
 			k = pinf->num_endpoints;
 			pend = pinf->endpoints;
 			while (k--) {
-				nextra += pend->extra.len;
+				nextra += N_ALIGN(pend->extra.len);
 				pend++;
 			}
 			pinf++;
@@ -150,17 +152,18 @@
 	    (nalt * sizeof(libusb_interface_descriptor)) +
 	    (nep * sizeof(libusb_endpoint_descriptor));
 
+	nextra = N_ALIGN(nextra);
+
 	pconfd = malloc(nextra);
 
 	if (pconfd == NULL) {
 		free(pconf);
 		return (LIBUSB_ERROR_NO_MEM);
 	}
-	/* make sure memory is clean */
+	/* make sure memory is initialised */
 	memset(pconfd, 0, nextra);
 
-	pconfd->interface = (libusb_interface *) (pconfd +
-	    sizeof(libusb_config_descriptor));
+	pconfd->interface = (libusb_interface *) (pconfd + 1);
 
 	ifd = (libusb_interface_descriptor *) (pconfd->interface + nif);
 	endd = (libusb_endpoint_descriptor *) (ifd + nalt);
@@ -181,7 +184,7 @@
 		pconfd->extra_length = pconf->extra.len;
 		pconfd->extra = pextra;
 		memcpy(pextra, pconf->extra.ptr, pconfd->extra_length);
-		pextra += pconfd->extra_length;
+		pextra += N_ALIGN(pconfd->extra_length);
 	}
 	/* setup all interface and endpoint pointers */
 
@@ -221,7 +224,7 @@
 				ifd->extra_length = pinf->extra.len;
 				ifd->extra = pextra;
 				memcpy(pextra, pinf->extra.ptr, pinf->extra.len);
-				pextra += pinf->extra.len;
+				pextra += N_ALIGN(pinf->extra.len);
 			}
 			for (k = 0; k < pinf->num_endpoints; k++) {
 				pend = &pinf->endpoints[k];
@@ -238,7 +241,7 @@
 					endd->extra_length = pend->extra.len;
 					endd->extra = pextra;
 					memcpy(pextra, pend->extra.ptr, pend->extra.len);
-					pextra += pend->extra.len;
+					pextra += N_ALIGN(pend->extra.len);
 				}
 			}
 		}

==== //depot/projects/usb/src/lib/libusb/libusb20.c#8 (text+ko) ====

@@ -630,6 +630,9 @@
 	struct LIBUSB20_CONTROL_SETUP_DECODED req;
 	int error;
 
+	/* make sure memory is initialised */
+	memset(ptr, 0, len);
+
 	if (len < 4) {
 		/* invalid length */
 		return (LIBUSB20_ERROR_INVALID_PARAM);
@@ -1093,7 +1096,8 @@
 	if (pbe->methods->exit_backend) {
 		pbe->methods->exit_backend(pbe);
 	}
-	return;
+	/* free backend */
+	free(pbe);
 }
 
 void
@@ -1101,7 +1105,6 @@
 {
 	pdev->beMethods = pbe->methods;	/* copy backend methods */
 	TAILQ_INSERT_TAIL(&(pbe->usb_devs), pdev, dev_entry);
-	return;
 }
 
 void
@@ -1109,5 +1112,4 @@
     struct libusb20_device *pdev)
 {
 	TAILQ_REMOVE(&(pbe->usb_devs), pdev, dev_entry);
-	return;
 }

==== //depot/projects/usb/src/lib/libusb/libusb20_desc.c#4 (text+ko) ====

@@ -118,6 +118,9 @@
 	if (lub_config == NULL) {
 		return (NULL);		/* out of memory */
 	}
+	/* make sure memory is initialised */
+	memset(lub_config, 0, size);
+
 	lub_interface = (void *)(lub_config + 1);
 	lub_alt_interface = (void *)(lub_interface + niface_no_alt);
 	lub_endpoint = (void *)(lub_interface + niface);

==== //depot/projects/usb/src/lib/libusb/libusb20_ugen20.c#10 (text+ko) ====

@@ -449,6 +449,8 @@
 	uint16_t len;
 	int error;
 
+	/* make sure memory is initialised */
+	memset(&cdesc, 0, sizeof(cdesc));
 	memset(&gen_desc, 0, sizeof(gen_desc));
 
 	gen_desc.ugd_data = &cdesc;
@@ -468,6 +470,10 @@
 	if (!ptr) {
 		return (LIBUSB20_ERROR_NO_MEM);
 	}
+
+	/* make sure memory is initialised */
+	memset(ptr, 0, len);
+
 	gen_desc.ugd_data = ptr;
 	gen_desc.ugd_maxlen = len;
 
