diff --git a/sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c b/sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c --- a/sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c +++ b/sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c @@ -534,6 +534,7 @@ * Size of both command and response buffers are passed in length field of * corresponding structures in "Parameter Total Length" format i.e. * not including HCI packet headers. + * Expected event code must be placed into "Event code" of the response buffer. * * Must not be used after USB transfers have been configured in attach routine. */ @@ -572,6 +573,12 @@ if (evt == NULL) return (USB_ERR_NORMAL_COMPLETION); + /* Save operation code if we expect completion event in response */ + if(((struct ubt_hci_event *)evt)->header.event == + NG_HCI_EVENT_COMMAND_COMPL) + ((struct ubt_hci_event_command_compl *)evt)->opcode = + cmd->opcode; + /* Initialize INTR endpoint xfer and wait for response */ mtx_init(&mtx, "ubt pb", NULL, MTX_DEF | MTX_NEW); @@ -842,6 +849,8 @@ struct ubt_hci_event *evt = usbd_xfer_softc(xfer); struct usb_page_cache *pc; int actlen; + struct ubt_hci_evhdr evhdr; + uint16_t opcode; usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL); @@ -849,7 +858,25 @@ case USB_ST_TRANSFERRED: if (actlen > UBT_HCI_EVENT_SIZE(evt)) actlen = UBT_HCI_EVENT_SIZE(evt); + if (actlen < sizeof(evhdr)) + goto submit_next; pc = usbd_xfer_get_frame(xfer, 0); + usbd_copy_out(pc, 0, &evhdr, sizeof(evhdr)); + /* Check for expected event code */ + if (evt->header.event != 0 && + (evt->header.event != evhdr.event)) + goto submit_next; + /* For completion events check operation code as well */ + if (evt->header.event == NG_HCI_EVENT_COMMAND_COMPL) { + if (actlen < sizeof(struct ubt_hci_event_command_compl)) + goto submit_next; + usbd_copy_out(pc, + offsetof(struct ubt_hci_event_command_compl, opcode), + &opcode, sizeof(opcode)); + if (opcode != + ((struct ubt_hci_event_command_compl *)evt)->opcode) + goto submit_next; + } usbd_copy_out(pc, 0, evt, actlen); /* OneShot mode */ wakeup(evt); diff --git a/sys/netgraph/bluetooth/drivers/ubt/ng_ubt_intel.c b/sys/netgraph/bluetooth/drivers/ubt/ng_ubt_intel.c --- a/sys/netgraph/bluetooth/drivers/ubt/ng_ubt_intel.c +++ b/sys/netgraph/bluetooth/drivers/ubt/ng_ubt_intel.c @@ -117,14 +117,14 @@ cmd.opcode = htole16(opcode); evt = malloc(offsetof(struct ubt_hci_event_command_compl, data) + resp_len, M_TEMP, M_ZERO | M_WAITOK); + evt->header.event = NG_HCI_EVENT_COMMAND_COMPL; evt->header.length = resp_len + UBT_HCI_EVENT_COMPL_HEAD_SIZE; error = ubt_do_hci_request(udev, &cmd, evt, UBT_INTEL_HCICMD_TIMEOUT); if (error != USB_ERR_NORMAL_COMPLETION) goto exit; - if (evt->header.event == NG_HCI_EVENT_COMMAND_COMPL && - evt->header.length == resp_len + UBT_HCI_EVENT_COMPL_HEAD_SIZE) + if (evt->header.length == resp_len + UBT_HCI_EVENT_COMPL_HEAD_SIZE) memcpy(resp, evt->data, resp_len); else error = USB_ERR_INVAL; @@ -148,6 +148,7 @@ uint8_t *data; evt = malloc(UBT_INTEL_MAX_EVT_SIZE, M_TEMP, M_ZERO | M_WAITOK); + evt->header.event = NG_HCI_EVENT_COMMAND_COMPL; evt->header.length = UBT_INTEL_MAX_EVT_SIZE - sizeof(struct ubt_hci_evhdr);