Skip to content

Commit

Permalink
descriptor: Fix potential offsetting of pointer by too much
Browse files Browse the repository at this point in the history 
This was checking that `size` is at least `LIBUSB_DT_CONFIG_SIZE` (9)
bytes long, but then increments the pointer with `buf +=
header.bLength`. That could end up pointing past of the end of the
buffer. There is a subsequent check that would prevent dereferencing it,
but it's still undefined behaviour to even create such a pointer.

Add a check with a similar pattern as elsewhere in this file.
  • Loading branch information
@seanm @tormodvolden
seanm authored and tormodvolden committed May 28, 2024
1 parent 5144b1c commit 016a0de
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
5 changes: 5 additions & 0 deletions libusb/descriptor.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1334,6 +1334,11 @@ static int parse_iad_array(struct libusb_context *ctx,
header.bLength);
return LIBUSB_ERROR_IO;
}
else if (header.bLength > size) {
usbi_warn(ctx, "short config descriptor read %d/%u",
size, header.bLength);
return LIBUSB_ERROR_IO;
}
if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION)
iad_array->length++;
buf += header.bLength;
Expand Down
2 changes: 1 addition & 1 deletion libusb/version_nano.h
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
#define LIBUSB_NANO 11909
#define LIBUSB_NANO 11910

0 comments on commit 016a0de

Please sign in to comment.