executor: fix out-of-bounds in USB fuzzing code

We might not have any string descriptors provided at all, use a hardcoded
string in this case.

1 files changed, 9 insertions, 5 deletions

diff --git a/executor/common_usb.h b/executor/common_usb.h
index 6da4e4e17..fbb4e2128 100644
--- a/executor/common_usb.h
+++ b/executor/common_usb.h
@@ -175,6 +175,8 @@ struct vusb_connect_descriptors {
 	struct vusb_connect_string_descriptor strs[0];
 } __attribute__((packed));
 
+static const char* default_string = "syzkaller";
+
 static bool lookup_connect_response(struct vusb_connect_descriptors* descs, struct usb_device_index* index,
 				    struct usb_ctrlrequest* ctrl, char** response_data, uint32* response_length)
 {
@@ -195,12 +197,14 @@ static bool lookup_connect_response(struct vusb_connect_descriptors* descs, stru
 				return true;
 			case USB_DT_STRING:
 				str_idx = (uint8)ctrl->wValue;
-				if (str_idx >= descs->strs_len && descs->strs_len > 0) {
-					// Use the last string if we ran out.
-					str_idx = descs->strs_len - 1;
+				if (str_idx >= descs->strs_len) {
+					// Use the default string if we ran out.
+					*response_data = (char*)default_string;
+					*response_length = strlen(default_string);
+				} else {
+					*response_data = descs->strs[str_idx].str;
+					*response_length = descs->strs[str_idx].len;
 				}
-				*response_data = descs->strs[str_idx].str;
-				*response_length = descs->strs[str_idx].len;
 				return true;
 			case USB_DT_BOS:
 				*response_data = descs->bos;