diff options
| author | Ovidiu Panait <ovpanait@gmail.com> | 2022-06-13 17:02:42 +0300 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2022-06-14 10:19:39 +0200 |
| commit | 9ce2c85a5c7104829269b904836201ccab6949f1 (patch) | |
| tree | 166ce971b37e506e5b484296f7097693cb320811 /executor/common_usb.h | |
| parent | a3bc5d68bc6cf57c55d4370027c295e367205c86 (diff) | |
executor: fix out of bounds write in lookup_connect_response_in()
gcc 12.1 reports the following -Werror=array-bounds error:
///
In function 'bool lookup_connect_response_in(...)'
executor/common_usb.h:632:66:
error: array subscript 'usb_qualifier_descriptor[0]' is partly outside array
bounds of 'char [8]' [-Werror=array-bounds]
|
632 | qual->bNumConfigurations = index->dev->bNumConfigurations;
| ~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'volatile long int syz_usb_connect_impl(...)':
executor/common_usb_linux.h:332:23: note: object 'response_data' of size 8
|
332 | char* response_data = NULL;
| ^~~~~~~~~~~~~
...
In function 'bool lookup_connect_response_in(...)',
executor/common_usb.h:633:57:
error: array subscript 'usb_qualifier_descriptor[0]' is partly outside array
bounds of 'char [8]' [-Werror=array-bounds]
|
633 | qual->bRESERVED = 0;
| ~~~~~~~~~~~~~~~~^~~
In function 'volatile long int syz_usb_connect_impl(...)':
executor/common_usb_linux.h:332:23: note: object 'response_data' of size 8
332 | char* response_data = NULL;
| ^~~~~~~~~~~~~
///
Current code in USB_DT_DEVICE_QUALIFIER case treats respose_data as a buffer,
but in reality it is just a pointer, as detailed in the error trace above. In
order to allow passing a usb_qualifier_descriptor struct back to the caller
(via response_data), add a new parameter to lookup_connect_response_in().
Build tested only.
Fixes: 0c00210ff32 ("executor: always provide DEVICE_QUALIFIER USB descriptor")
Signed-off-by: Ovidiu Panait <ovpanait@gmail.com>
Diffstat (limited to 'executor/common_usb.h')
| -rw-r--r-- | executor/common_usb.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/executor/common_usb.h b/executor/common_usb.h index 361605b0e..1cc4be980 100644 --- a/executor/common_usb.h +++ b/executor/common_usb.h @@ -577,6 +577,7 @@ static const char default_lang_id[] = { static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, + struct usb_qualifier_descriptor* qual, char** response_data, uint32* response_length) { struct usb_device_index* index = lookup_usb_index(fd); @@ -620,8 +621,6 @@ static bool lookup_connect_response_in(int fd, const struct vusb_connect_descrip case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { // Fill in DEVICE_QUALIFIER based on DEVICE if not provided. - struct usb_qualifier_descriptor* qual = - (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; @@ -631,6 +630,7 @@ static bool lookup_connect_response_in(int fd, const struct vusb_connect_descrip qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; + *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } |