diff options
author | David Brownell <david-b@pacbell.net> | 2008-03-05 00:11:07 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2008-04-25 06:16:41 +0200 |
commit | 25b70a8665e9854504b9196c3098dadd37c721aa (patch) | |
tree | cf477b2546d7e5f547ec8866a5eed7536d27fb69 /drivers | |
parent | USB: remove dev->power.power_state (diff) | |
download | linux-25b70a8665e9854504b9196c3098dadd37c721aa.tar.xz linux-25b70a8665e9854504b9196c3098dadd37c721aa.zip |
USB: ehci: paranoia, reject large control transfers
Some EHCI fault paths with large control transfers aren't coded. Avoid
problems by rejecting transfers that may need two qTDs (16+ KB). This is
mostly paranoia; even 4 KB transfers are rare, and most HCDs use lower
limits (so it's unlikely anyone would ever try such a thing).
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/usb/host/ehci-hcd.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c index 8c3e860bfce3..a02dcff5eb21 100644 --- a/drivers/usb/host/ehci-hcd.c +++ b/drivers/usb/host/ehci-hcd.c @@ -764,8 +764,14 @@ static int ehci_urb_enqueue ( INIT_LIST_HEAD (&qtd_list); switch (usb_pipetype (urb->pipe)) { - // case PIPE_CONTROL: - // case PIPE_BULK: + case PIPE_CONTROL: + /* qh_completions() code doesn't handle all the fault cases + * in multi-TD control transfers. Even 1KB is rare anyway. + */ + if (urb->transfer_buffer_length > (16 * 1024)) + return -EMSGSIZE; + /* FALLTHROUGH */ + /* case PIPE_BULK: */ default: if (!qh_urb_transaction (ehci, urb, &qtd_list, mem_flags)) return -ENOMEM; |