From baa5258a5eddb26cc15d56ac371cb2350a3f1302 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Thu, 11 Jul 2019 15:20:32 +0200 Subject: executor: fix out-of-bounds in USB fuzzing code We might not have any string descriptors provided at all, use a hardcoded string in this case. --- executor/common_usb.h | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'executor/common_usb.h') diff --git a/executor/common_usb.h b/executor/common_usb.h index 6da4e4e17..fbb4e2128 100644 --- a/executor/common_usb.h +++ b/executor/common_usb.h @@ -175,6 +175,8 @@ struct vusb_connect_descriptors { struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); +static const char* default_string = "syzkaller"; + static bool lookup_connect_response(struct vusb_connect_descriptors* descs, struct usb_device_index* index, struct usb_ctrlrequest* ctrl, char** response_data, uint32* response_length) { @@ -195,12 +197,14 @@ static bool lookup_connect_response(struct vusb_connect_descriptors* descs, stru return true; case USB_DT_STRING: str_idx = (uint8)ctrl->wValue; - if (str_idx >= descs->strs_len && descs->strs_len > 0) { - // Use the last string if we ran out. - str_idx = descs->strs_len - 1; + if (str_idx >= descs->strs_len) { + // Use the default string if we ran out. + *response_data = (char*)default_string; + *response_length = strlen(default_string); + } else { + *response_data = descs->strs[str_idx].str; + *response_length = descs->strs[str_idx].len; } - *response_data = descs->strs[str_idx].str; - *response_length = descs->strs[str_idx].len; return true; case USB_DT_BOS: *response_data = descs->bos; -- cgit mrf-deployment