diff options
author | Vitali Lovich <vlovich@aliph.com> | 2011-03-16 17:33:57 -0700 |
---|---|---|
committer | Peter Stuge <peter@stuge.se> | 2011-06-15 02:45:20 +0200 |
commit | 347198e07f6fe3f73c4b914c776851c2a7db5ca0 (patch) | |
tree | 0b122c30d064e24cda1a240d669d04b3dea5e721 | |
parent | a240f5c854665dffba5fcfca2739f1c14e4d355a (diff) | |
download | libusb-347198e07f6fe3f73c4b914c776851c2a7db5ca0.tar.gz |
descriptor.c: Fix buffer read overflow caught by valgrind
In parse_interface() an unexpected descriptor would be parsed without
validating the descriptor's length. It is possible for size to be 0 at
this point, which means that the parsing would read past the end of the
source buffer. Fix #83 by checking the length of the remaining buffer
before parsing.
-rw-r--r-- | libusb/descriptor.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/libusb/descriptor.c b/libusb/descriptor.c index 11480e8..d6ec46c 100644 --- a/libusb/descriptor.c +++ b/libusb/descriptor.c @@ -257,11 +257,13 @@ static int parse_interface(libusb_context *ctx, } /* Did we hit an unexpected descriptor? */ - usbi_parse_descriptor(buffer, "bb", &header, 0); - if ((size >= DESC_HEADER_LENGTH) && - ((header.bDescriptorType == LIBUSB_DT_CONFIG) || - (header.bDescriptorType == LIBUSB_DT_DEVICE))) - return parsed; + if (size >= DESC_HEADER_LENGTH) { + usbi_parse_descriptor(buffer, "bb", &header, 0); + if ((header.bDescriptorType == LIBUSB_DT_CONFIG) || + (header.bDescriptorType == LIBUSB_DT_DEVICE)) { + return parsed; + } + } if (ifp->bNumEndpoints > USB_MAXENDPOINTS) { usbi_err(ctx, "too many endpoints (%d)", ifp->bNumEndpoints); |