descriptor.c: Fix buffer read overflow caught by valgrind

In parse_interface() an unexpected descriptor would be parsed without validating the descriptor's length. It is possible for size to be 0 at this point, which means that the parsing would read past the end of the source buffer. Fix #83 by checking the length of the remaining buffer before parsing.
author: Vitali Lovich <vlovich@aliph.com> 2011-03-16 17:33:57 -0700
committer: Peter Stuge <peter@stuge.se> 2011-06-15 02:45:20 +0200
commit: 347198e07f6fe3f73c4b914c776851c2a7db5ca0 (patch)
tree: 0b122c30d064e24cda1a240d669d04b3dea5e721
parent: a240f5c854665dffba5fcfca2739f1c14e4d355a (diff)
download: libusb-347198e07f6fe3f73c4b914c776851c2a7db5ca0.tar.gz
1 files changed, 7 insertions, 5 deletions
diff --git a/libusb/descriptor.c b/libusb/descriptor.c
index 11480e8..d6ec46c 100644
--- a/libusb/descriptor.c
+++ b/libusb/descriptor.c
@@ -257,11 +257,13 @@ static int parse_interface(libusb_context *ctx,
 		}
 
 		/* Did we hit an unexpected descriptor? */
-		usbi_parse_descriptor(buffer, "bb", &header, 0);
-		if ((size >= DESC_HEADER_LENGTH) &&
-				((header.bDescriptorType == LIBUSB_DT_CONFIG) ||
-				 (header.bDescriptorType == LIBUSB_DT_DEVICE)))
-			return parsed;
+		if (size >= DESC_HEADER_LENGTH) {
+			usbi_parse_descriptor(buffer, "bb", &header, 0);
+			if ((header.bDescriptorType == LIBUSB_DT_CONFIG) ||
+			    (header.bDescriptorType == LIBUSB_DT_DEVICE)) {
+				return parsed;
+			}
+		}
 
 		if (ifp->bNumEndpoints > USB_MAXENDPOINTS) {
 			usbi_err(ctx, "too many endpoints (%d)", ifp->bNumEndpoints);
author	Vitali Lovich <vlovich@aliph.com>	2011-03-16 17:33:57 -0700
committer	Peter Stuge <peter@stuge.se>	2011-06-15 02:45:20 +0200
commit	347198e07f6fe3f73c4b914c776851c2a7db5ca0 (patch)
tree	0b122c30d064e24cda1a240d669d04b3dea5e721
parent	a240f5c854665dffba5fcfca2739f1c14e4d355a (diff)
download	libusb-347198e07f6fe3f73c4b914c776851c2a7db5ca0.tar.gz