From baa5258a5eddb26cc15d56ac371cb2350a3f1302 Mon Sep 17 00:00:00 2001
From: Andrey Konovalov <andreyknvl@google.com>
Date: Thu, 11 Jul 2019 15:20:32 +0200
Subject: executor: fix out-of-bounds in USB fuzzing code

We might not have any string descriptors provided at all, use a hardcoded
string in this case.
---
 pkg/csource/generated.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'pkg/csource')

diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index 9c5f6cb75..766ab6e28 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -1910,6 +1910,8 @@ struct vusb_connect_descriptors {
 	struct vusb_connect_string_descriptor strs[0];
 } __attribute__((packed));
 
+static const char* default_string = "syzkaller";
+
 static bool lookup_connect_response(struct vusb_connect_descriptors* descs, struct usb_device_index* index,
 				    struct usb_ctrlrequest* ctrl, char** response_data, uint32* response_length)
 {
@@ -1930,11 +1932,13 @@ static bool lookup_connect_response(struct vusb_connect_descriptors* descs, stru
 				return true;
 			case USB_DT_STRING:
 				str_idx = (uint8)ctrl->wValue;
-				if (str_idx >= descs->strs_len && descs->strs_len > 0) {
-					str_idx = descs->strs_len - 1;
+				if (str_idx >= descs->strs_len) {
+					*response_data = (char*)default_string;
+					*response_length = strlen(default_string);
+				} else {
+					*response_data = descs->strs[str_idx].str;
+					*response_length = descs->strs[str_idx].len;
 				}
-				*response_data = descs->strs[str_idx].str;
-				*response_length = descs->strs[str_idx].len;
 				return true;
 			case USB_DT_BOS:
 				*response_data = descs->bos;
-- 
cgit mrf-deployment