ref: 546046b46bd920c9da13e46c87efa08ab0c85bfa
parent: 7722220ff5673036f3d058ebfdd45fe3078057da
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Fri Sep 22 08:55:26 EDT 2017
xhci: do bounds checking in capability walking, check if controller vanished on init (thunderbolt unplug)
--- a/sys/src/9/pc/usbxhci.c
+++ b/sys/src/9/pc/usbxhci.c
@@ -362,15 +362,20 @@
static u32int*
xecp(Ctlr *ctlr, uchar id, u32int *p)
{- u32int x;
+ u32int x, *e;
+ e = &ctlr->mmio[ctlr->pcidev->mem[0].size/4];
if(p == nil){p = ctlr->mmio;
x = ctlr->hccparams>>16;
- } else
+ } else {+ assert(p < e);
x = (*p>>8) & 255;
+ }
while(x != 0){p += x;
+ if(p >= e)
+ break;
x = *p;
if((x & 255) == id)
return p;
@@ -438,6 +443,8 @@
int i, j;
ctlr = hp->aux;
+ if(ctlr->mmio[CAPLENGTH] == -1)
+ error("controller vanished");ctlr->opr = &ctlr->mmio[(ctlr->mmio[CAPLENGTH]&0xFF)/4];
ctlr->dba = &ctlr->mmio[ctlr->mmio[DBOFF]/4];