From patchwork Sun Apr  1 20:33:48 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?q?Michael_B=C3=BCsch?= <m@bues.ch>
X-Patchwork-Id: 10533
Received: from mail.tu-berlin.de ([130.149.7.33])
	by www.linuxtv.org with esmtp (Exim 4.72)
	(envelope-from <linux-media-owner@vger.kernel.org>)
	id 1SERTv-0007Np-2h
	for patchwork@linuxtv.org; Sun, 01 Apr 2012 22:34:35 +0200
X-tubIT-Incoming-IP: 209.132.180.67
Received: from vger.kernel.org ([209.132.180.67])
	by mail.tu-berlin.de (exim-4.75/mailfrontend-3) with esmtp
	for <patchwork@linuxtv.org>
	id 1SERTu-0002eb-EZ; Sun, 01 Apr 2012 22:34:35 +0200
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752603Ab2DAUd5 (ORCPT <rfc822;patchwork@linuxtv.org>);
	Sun, 1 Apr 2012 16:33:57 -0400
Received: from bues.ch ([80.190.117.144]:42918 "EHLO bues.ch"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751938Ab2DAUd5 (ORCPT <rfc822;linux-media@vger.kernel.org>);
	Sun, 1 Apr 2012 16:33:57 -0400
Received: by bues.ch with esmtpsa (Exim 4.72) (envelope-from <m@bues.ch>)
	id 1SERTG-0006Bt-RB; Sun, 01 Apr 2012 22:33:55 +0200
Date: Sun, 1 Apr 2012 22:33:48 +0200
From: Michael =?UTF-8?B?QsO8c2No?= <m@bues.ch>
To: Antti Palosaari <crope@iki.fi>
Cc: linux-media <linux-media@vger.kernel.org>
Subject: [PATCH] af9035: Add USB read checksumming
Message-ID: <20120401223348.5f163b5d@milhouse>
X-Mailer: Claws Mail 3.8.0 (GTK+ 2.24.10; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
	Antispam-Data: 2012.4.1.202415
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report='
	HTML_00_01 0.05, HTML_00_10 0.05, MIME_LOWER_CASE 0.05,
	MSGID_ADDED_BY_MTA 0.05, BODYTEXTP_SIZE_3000_LESS 0,
	BODY_SIZE_3000_3999 0, BODY_SIZE_5000_LESS 0,
	BODY_SIZE_7000_LESS 0, INVALID_MSGID_NO_FQDN 0, __ANY_URI 0,
	__CP_URI_IN_BODY 0, __CT 0, __CTYPE_HAS_BOUNDARY 0,
	__CTYPE_MULTIPART 0, __HAS_MSGID 0, __HAS_X_MAILER 0,
	__HAS_X_MAILING_LIST 0, __MIME_VERSION 0, __SANE_MSGID 0,
	__STOCK_PHRASE_7 0, __TO_MALFORMED_2 0, __URI_NO_WWW 0,
	__URI_NS '

This adds USB message read checksumming to protect against
device and bus errors.
It also adds a read length check to avoid returning garbage from
the buffer, if the device truncated the message.

Signed-off-by: Michael Buesch <m@bues.ch>

Index: linux/drivers/media/dvb/dvb-usb/af9035.c
===================================================================
--- linux.orig/drivers/media/dvb/dvb-usb/af9035.c	2012-04-01 21:44:27.767000731 +0200
+++ linux/drivers/media/dvb/dvb-usb/af9035.c	2012-04-01 22:26:46.020185359 +0200
@@ -37,6 +37,22 @@
 	}
 };
 
+static u16 af9035_checksum(const u8 *buf, size_t len)
+{
+	size_t i;
+	u16 checksum = 0;
+
+	for (i = 1; i < len; i++) {
+		if (i % 2)
+			checksum += buf[i] << 8;
+		else
+			checksum += buf[i];
+	}
+	checksum = ~checksum;
+
+	return checksum;
+}
+
 static int af9035_ctrl_msg(struct usb_device *udev, struct usb_req *req)
 {
 #define BUF_LEN 63
@@ -45,11 +61,11 @@
 #define CHECKSUM_LEN 2
 #define USB_TIMEOUT 2000
 
-	int ret, i, act_len;
+	int ret, act_len;
 	u8 buf[BUF_LEN];
 	u32 msg_len;
 	static u8 seq; /* packet sequence number */
-	u16 checksum = 0;
+	u16 checksum, tmpsum;
 
 	/* buffer overflow check */
 	if (req->wlen > (BUF_LEN - REQ_HDR_LEN - CHECKSUM_LEN) ||
@@ -70,14 +86,7 @@
 		memcpy(&buf[4], req->wbuf, req->wlen);
 
 	/* calc and add checksum */
-	for (i = 1; i < buf[0]-1; i++) {
-		if (i % 2)
-			checksum += buf[i] << 8;
-		else
-			checksum += buf[i];
-	}
-	checksum = ~checksum;
-
+	checksum = af9035_checksum(buf, buf[0] - 1);
 	buf[buf[0]-1] = (checksum >> 8);
 	buf[buf[0]-0] = (checksum & 0xff);
 
@@ -107,7 +116,23 @@
 		ret = -EIO;
 		goto err_mutex_unlock;
 	}
+	if (act_len != msg_len) {
+		err("recv bulk message truncated (%d != %u)\n",
+		    act_len, (unsigned int)msg_len);
+		ret = -EIO;
+		goto err_mutex_unlock;
+	}
 
+	/* verify checksum */
+	checksum = af9035_checksum(buf, act_len - 2);
+	tmpsum = (buf[act_len - 2] << 8) | buf[act_len - 1];
+	if (tmpsum != checksum) {
+		err("%s: command=%02X checksum mismatch (%04X != %04X)\n",
+		    __func__, req->cmd,
+		    (unsigned int)tmpsum, (unsigned int)checksum);
+		ret = -EIO;
+		goto err_mutex_unlock;
+	}
 	/* check status */
 	if (buf[2]) {
 		pr_debug("%s: command=%02x failed fw error=%d\n", __func__,