Merge commit from fork

fix (host/storage): prevent stack overflow from infinite partition recursion

Author: fdesbiens

common/usbx_host_classes/inc/ux_host_class_storage.h

@@ -486,6 +486,8 @@ typedef struct UX_HOST_CLASS_STORAGE_STRUCT
     UINT            ux_host_class_storage_lun_types[UX_MAX_HOST_LUN];
 #if defined(UX_HOST_CLASS_STORAGE_NO_FILEX)
     ULONG           ux_host_class_storage_last_sector_number;
+#else
+    ULONG           ux_host_class_storage_mounted_partitions_count;
 #endif
     ULONG           ux_host_class_storage_sector_size;
     ULONG           ux_host_class_storage_data_phase_length;

common/usbx_host_classes/src/ux_host_class_storage_device_initialize.c

@@ -166,6 +166,12 @@ UINT                            inst_index;
         case UX_HOST_CLASS_STORAGE_MEDIA_IOMEGA_CLICK:
 
 #if !defined(UX_HOST_CLASS_STORAGE_NO_FILEX)
+            /* the ux_host_class_storage_mounted_partitions_count is needed to avoid
+             infinite recursive loops when mounting extended partions.
+             The value is checked against the UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT
+             */
+            storage -> ux_host_class_storage_mounted_partitions_count = 0;
+
             /* Try to read the device media in search for a partition table or boot sector.
                We are at the root of the disk, so use sector 0 as the starting point.  */
             _ux_host_class_storage_media_mount(storage, 0);

common/usbx_host_classes/src/ux_host_class_storage_partition_read.c

@@ -27,8 +27,6 @@
 #include "ux_api.h"
 #include "ux_host_class_storage.h"
 #include "ux_host_stack.h"
-
-
 /**************************************************************************/ 
 /*                                                                        */ 
 /*  FUNCTION                                               RELEASE        */ 
@@ -90,49 +88,55 @@ UINT  _ux_host_class_storage_partition_read(UX_HOST_CLASS_STORAGE *storage, UCHA
 UINT        status =  UX_ERROR;
 UINT        partition_index;
 
+    /* Check recursion/mount count before processing. */
+    if (storage -> ux_host_class_storage_mounted_partitions_count > UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT)
+    {
+        return UX_HOST_CLASS_STORAGE_ERROR_MEDIA_NOT_READ;
+    }
 
     /* Point the sector buffer to the first partition entry.  */
     sector_memory +=  UX_HOST_CLASS_STORAGE_PARTITION_TABLE_START;
-    
+
     /* There are 4 partitions in a partition table.  */
     for (partition_index = 0; partition_index < 4; partition_index++)
     {
+        /* Increment the mounted partition count for every entry processed. */
+        storage -> ux_host_class_storage_mounted_partitions_count++;
+
+        /* Check again after incrementing. */
+        if (storage -> ux_host_class_storage_mounted_partitions_count > UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT)
+        {
+            /* Too many partition entries processed, abort to prevent stack overflow. */
+            return UX_HOST_CLASS_STORAGE_ERROR_MEDIA_NOT_READ;
+        }
 
         /* Check if we recognize this partition entry.  */
         switch(*(sector_memory + UX_HOST_CLASS_STORAGE_PARTITION_TYPE))
         {
-
-        case UX_HOST_CLASS_STORAGE_PARTITION_FAT_12:       
-        case UX_HOST_CLASS_STORAGE_PARTITION_FAT_16:   
-        case UX_HOST_CLASS_STORAGE_PARTITION_FAT_16L: 
-        case UX_HOST_CLASS_STORAGE_PARTITION_FAT_16_LBA_MAPPED: 
-        case UX_HOST_CLASS_STORAGE_PARTITION_FAT_32_1:   
-        case UX_HOST_CLASS_STORAGE_PARTITION_FAT_32_2:   
-        case UX_HOST_CLASS_STORAGE_PARTITION_EXFAT:
-
-            /* We have found a legal partition entry pointing to a potential boot sector.  */
-            status =  _ux_host_class_storage_media_open(storage, sector + _ux_utility_long_get(sector_memory + UX_HOST_CLASS_STORAGE_PARTITION_SECTORS_BEFORE));
-            break;                              
-            
-        case UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED:   
-        case UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED_LBA_MAPPED:   
-
-            /* We have found an entry to an extended partition. We need to read that partition sector
-               and recursively mount all partitions found.  */
-            status =  _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(sector_memory + UX_HOST_CLASS_STORAGE_PARTITION_SECTORS_BEFORE));
-            break;
-                
-        default:
-
-            /* We have found something which is not a DOS recognized partition, or an empty entry.
-               Ignore it and proceed with the rest.  */
-            break;
+            case UX_HOST_CLASS_STORAGE_PARTITION_FAT_12:
+            case UX_HOST_CLASS_STORAGE_PARTITION_FAT_16:
+            case UX_HOST_CLASS_STORAGE_PARTITION_FAT_16L:
+            case UX_HOST_CLASS_STORAGE_PARTITION_FAT_16_LBA_MAPPED:
+            case UX_HOST_CLASS_STORAGE_PARTITION_FAT_32_1:
+            case UX_HOST_CLASS_STORAGE_PARTITION_FAT_32_2:
+            case UX_HOST_CLASS_STORAGE_PARTITION_EXFAT:
+                /* We have found a legal partition entry pointing to a potential boot sector.  */
+                status =  _ux_host_class_storage_media_open(storage, sector + _ux_utility_long_get(sector_memory + UX_HOST_CLASS_STORAGE_PARTITION_SECTORS_BEFORE));
+                break;
+            case UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED:
+            case UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED_LBA_MAPPED:
+                /* We have found an entry to an extended partition. We need to read that partition sector
+                   and recursively mount all partitions found.  */
+                status =  _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(sector_memory + UX_HOST_CLASS_STORAGE_PARTITION_SECTORS_BEFORE));
+                break;
+            default:
+                /* We have found something which is not a DOS recognized partition, or an empty entry.
+                   Ignore it and proceed with the rest.  */
+                break;
         }
-
         /* Move to the next partition entry.  */
         sector_memory +=  UX_HOST_CLASS_STORAGE_PARTITION_TABLE_SIZE;
     }
-
     /* Return completion status.  */
     return(status);
 #endif

ports/arm9/iar/inc/ux_port.h

@@ -204,6 +204,10 @@ typedef LONG                        SLONG;
 #define UX_HOST_CLASS_STORAGE_MAX_MEDIA                     2
 #endif
 
+#ifndef UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT
+#define UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT          8
+#endif
+
 #ifndef UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH
 #define UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH                 256
 #endif

ports/cortex_a5/gnu/inc/ux_port.h

@@ -204,6 +204,10 @@ typedef LONG                        SLONG;
 #define UX_HOST_CLASS_STORAGE_MAX_MEDIA                     2
 #endif
 
+#ifndef UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT
+#define UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT          8
+#endif
+
 #ifndef UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH
 #define UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH                 256
 #endif

ports/cortex_a5/iar/inc/ux_port.h

@@ -204,6 +204,10 @@ typedef LONG                        SLONG;
 #define UX_HOST_CLASS_STORAGE_MAX_MEDIA                     2
 #endif
 
+#ifndef UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT
+#define UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT          8
+#endif
+
 #ifndef UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH
 #define UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH                 256
 #endif

ports/cortex_a7/gnu/inc/ux_port.h

@@ -204,6 +204,10 @@ typedef LONG                        SLONG;
 #define UX_HOST_CLASS_STORAGE_MAX_MEDIA                     2
 #endif
 
+#ifndef UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT
+#define UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT          8
+#endif
+
 #ifndef UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH
 #define UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH                 256
 #endif

ports/cortex_a7/iar/inc/ux_port.h

@@ -204,6 +204,10 @@ typedef LONG                        SLONG;
 #define UX_HOST_CLASS_STORAGE_MAX_MEDIA                     2
 #endif
 
+#ifndef UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT
+#define UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT          8
+#endif
+
 #ifndef UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH
 #define UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH                 256
 #endif

ports/cortex_a8/gnu/inc/ux_port.h

@@ -204,6 +204,10 @@ typedef LONG                        SLONG;
 #define UX_HOST_CLASS_STORAGE_MAX_MEDIA                     2
 #endif
 
+#ifndef UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT
+#define UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT          8
+#endif
+
 #ifndef UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH
 #define UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH                 256
 #endif

ports/cortex_a8/iar/inc/ux_port.h

@@ -204,6 +204,10 @@ typedef LONG                        SLONG;
 #define UX_HOST_CLASS_STORAGE_MAX_MEDIA                     2
 #endif
 
+#ifndef UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT
+#define UX_HOST_CLASS_STORAGE_MAX_PARTITIONS_COUNT          8
+#endif
+
 #ifndef UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH
 #define UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH                 256
 #endif