diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2017-09-22 12:55:26 +0200 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2017-09-22 12:55:26 +0200 |
| commit | 546046b46bd920c9da13e46c87efa08ab0c85bfa (patch) | |
| tree | c72bc8018d70a9620089470df814c14a015743a0 /sys | |
| parent | 7722220ff5673036f3d058ebfdd45fe3078057da (diff) | |
xhci: do bounds checking in capability walking, check if controller vanished on init (thunderbolt unplug)
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/src/9/pc/usbxhci.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/sys/src/9/pc/usbxhci.c b/sys/src/9/pc/usbxhci.c index 976f3c8c5..d8620fa8f 100644 --- a/sys/src/9/pc/usbxhci.c +++ b/sys/src/9/pc/usbxhci.c @@ -362,15 +362,20 @@ resetring(Ring *r) static u32int* xecp(Ctlr *ctlr, uchar id, u32int *p) { - u32int x; + u32int x, *e; + e = &ctlr->mmio[ctlr->pcidev->mem[0].size/4]; if(p == nil){ p = ctlr->mmio; x = ctlr->hccparams>>16; - } else + } else { + assert(p < e); x = (*p>>8) & 255; + } while(x != 0){ p += x; + if(p >= e) + break; x = *p; if((x & 255) == id) return p; @@ -438,6 +443,8 @@ init(Hci *hp) int i, j; ctlr = hp->aux; + if(ctlr->mmio[CAPLENGTH] == -1) + error("controller vanished"); ctlr->opr = &ctlr->mmio[(ctlr->mmio[CAPLENGTH]&0xFF)/4]; ctlr->dba = &ctlr->mmio[ctlr->mmio[DBOFF]/4]; |