From c1f949908a5c8c402590633c23922787bc54b1d5 Mon Sep 17 00:00:00 2001 From: Stefano Ceccherini Date: Sat, 2 May 2009 16:04:15 +0000 Subject: [PATCH] get_device_hid() now has a 'size_t bufferLength' parameter, to avoid the risk of buffer overflow git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@30575 a95241bf-73f2-0310-859d-f6bbb57e9c96 --- headers/os/drivers/ACPI.h | 2 +- .../kernel/bus_managers/acpi/acpi_busman.c | 5 ++++- .../kernel/bus_managers/acpi/acpi_module.c | 2 +- .../kernel/bus_managers/acpi/acpi_ns_dump.cpp | 16 ++-------------- src/add-ons/kernel/bus_managers/acpi/acpi_priv.h | 4 ++-- 5 files changed, 10 insertions(+), 19 deletions(-) diff --git a/headers/os/drivers/ACPI.h b/headers/os/drivers/ACPI.h index 1253110919..f49ec73cb9 100644 --- a/headers/os/drivers/ACPI.h +++ b/headers/os/drivers/ACPI.h @@ -39,7 +39,7 @@ struct acpi_module_info { status_t (*get_device)(const char *hid, uint32 index, char *result, size_t resultLength); - status_t (*get_device_hid)(const char *path, char *hid); + status_t (*get_device_hid)(const char *path, char *hid, size_t hidLength); uint32 (*get_object_type)(const char *path); status_t (*get_object)(const char *path, acpi_object_type **_returnValue); diff --git a/src/add-ons/kernel/bus_managers/acpi/acpi_busman.c b/src/add-ons/kernel/bus_managers/acpi/acpi_busman.c index a67dee48dd..21c2a40efc 100644 --- a/src/add-ons/kernel/bus_managers/acpi/acpi_busman.c +++ b/src/add-ons/kernel/bus_managers/acpi/acpi_busman.c @@ -274,7 +274,7 @@ get_device(const char* hid, uint32 index, char* result, size_t resultLength) status_t -get_device_hid(const char *path, char *hid) +get_device_hid(const char *path, char *hid, size_t bufferLength) { ACPI_HANDLE handle; ACPI_OBJECT info; @@ -284,6 +284,9 @@ get_device_hid(const char *path, char *hid) if (AcpiGetHandle(NULL, (ACPI_STRING)path, &handle) != AE_OK) return B_ENTRY_NOT_FOUND; + if (bufferLength < ACPI_DEVICE_ID_LENGTH) + return B_BUFFER_OVERFLOW; + infoBuffer.Pointer = &info; infoBuffer.Length = sizeof(ACPI_OBJECT); info.String.Pointer = hid; diff --git a/src/add-ons/kernel/bus_managers/acpi/acpi_module.c b/src/add-ons/kernel/bus_managers/acpi/acpi_module.c index 1dc9272bdd..158d93057e 100644 --- a/src/add-ons/kernel/bus_managers/acpi/acpi_module.c +++ b/src/add-ons/kernel/bus_managers/acpi/acpi_module.c @@ -109,7 +109,7 @@ acpi_enumerate_child_devices(device_node *node, const char *root) { NULL } }; - get_device_hid(result, hid); + get_device_hid(result, hid, sizeof(hid)); if (gDeviceManager->register_node(node, ACPI_DEVICE_MODULE_NAME, attrs, NULL, &deviceNode) == B_OK) diff --git a/src/add-ons/kernel/bus_managers/acpi/acpi_ns_dump.cpp b/src/add-ons/kernel/bus_managers/acpi/acpi_ns_dump.cpp index a6dc2ae46b..c13e2df799 100644 --- a/src/add-ons/kernel/bus_managers/acpi/acpi_ns_dump.cpp +++ b/src/add-ons/kernel/bus_managers/acpi/acpi_ns_dump.cpp @@ -107,7 +107,7 @@ dump_acpi_namespace(acpi_ns_device_info *device, char *root, int indenting) break; case ACPI_TYPE_DEVICE: hid[0] = 0; /* zero-terminate string; get_device_hid can (and will) fail! */ - device->acpi->get_device_hid(result, hid); + device->acpi->get_device_hid(result, hid, sizeof(hid)); snprintf(output, sizeof(output), "%s DEVICE (%s)", output, hid); break; case ACPI_TYPE_EVENT: @@ -146,7 +146,6 @@ dump_acpi_namespace(acpi_ns_device_info *device, char *root, int indenting) toWrite++; if (ringBuffer.Lock()) { if (ringBuffer.WritableAmount() < toWrite) { - //dprintf("not enough space\n"); if (!make_space(device, toWrite)) { panic("couldn't make space"); exit_thread(0); @@ -154,7 +153,6 @@ dump_acpi_namespace(acpi_ns_device_info *device, char *root, int indenting) } written = ringBuffer.Write(output, toWrite); - //dprintf("written %ld bytes\n", written); ringBuffer.Unlock(); } @@ -225,38 +223,29 @@ acpi_namespace_read(void *_cookie, off_t position, void *buf, size_t* num_bytes) acpi_ns_device_info *device = (acpi_ns_device_info *)_cookie; size_t bytesRead = 0; size_t readable = 0; - //dprintf("acpi_namespace_read(cookie: %p, position: %lld, buffer: %p, size: %ld)\n", - // _cookie, position, buf, *num_bytes); - + RingBuffer &ringBuffer = *device->buffer; if (ringBuffer.Lock()) { readable = ringBuffer.ReadableAmount(); - //dprintf("%ld bytes readable\n", readable); if (readable <= 0) { - //dprintf("acquiring read sem...\n"); ringBuffer.Unlock(); status_t status = acquire_sem_etc(device->read_sem, 1, B_CAN_INTERRUPT, 0); if (status == B_INTERRUPTED) { - //dprintf("read: acquire_sem returned %s\n", strerror(status)); *num_bytes = 0; return status; } - //dprintf("read sem acquired\n"); if (!ringBuffer.Lock()) { - dprintf("read: couldn't acquire lock. bailing\n"); *num_bytes = 0; return B_ERROR; } } - //dprintf("readable %ld\n", ringBuffer.ReadableAmount()); bytesRead = ringBuffer.Read(buf, *num_bytes); ringBuffer.Unlock(); } - //dprintf("read: read %ld bytes\n", bytesRead); if (bytesRead < 0) { *num_bytes = 0; return bytesRead; @@ -275,7 +264,6 @@ acpi_namespace_read(void *_cookie, off_t position, void *buf, size_t* num_bytes) static status_t acpi_namespace_write(void* cookie, off_t position, const void* buffer, size_t* num_bytes) { - dprintf("acpi_ns_dump: device_write\n"); *num_bytes = 0; /* tell caller nothing was written */ return B_IO_ERROR; } diff --git a/src/add-ons/kernel/bus_managers/acpi/acpi_priv.h b/src/add-ons/kernel/bus_managers/acpi/acpi_priv.h index 6b4059cce0..228289520e 100644 --- a/src/add-ons/kernel/bus_managers/acpi/acpi_priv.h +++ b/src/add-ons/kernel/bus_managers/acpi/acpi_priv.h @@ -47,7 +47,7 @@ typedef struct acpi_root_info { status_t (*get_device)(const char *hid, uint32 index, char *result, size_t resultLength); - status_t (*get_device_hid)(const char *path, char *hid); + status_t (*get_device_hid)(const char *path, char *hid, size_t hidLength); uint32 (*get_object_type)(const char *path); status_t (*get_object)(const char *path, acpi_object_type **_returnValue); @@ -86,7 +86,7 @@ status_t get_next_entry(uint32 object_type, const char *base, char *result, status_t get_device(const char *hid, uint32 index, char *result, size_t resultLength); -status_t get_device_hid(const char *path, char *hid); +status_t get_device_hid(const char *path, char *hid, size_t hidLength); uint32 get_object_type(const char *path); status_t get_object(const char *path, acpi_object_type **return_value); status_t get_object_typed(const char *path, acpi_object_type **return_value,