tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Prevent infinite loop on zero length USB descriptors

Browse source 
If a USB device descriptor has zero length it is invalid and iteration
should stop otherwise the code iterating will go into an infinite loop.

Bug: 149986186
Test: attach bad USB device with invalid descriptor length 0 then attach
a good USB device and ensure it is recognized properly

Change-Id: I7571a6357bdc13af221cf8be01eba16f5bc976a3
This commit is contained in:
Jacob Abrams 2020-02-21 10:16:16 -08:00
parent 3c0e06d829
commit 43d246c5c2
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
libusbhost/usbhost.c
View file

@ -597,6 +597,11 @@ struct usb_descriptor_header *usb_descriptor_iter_next(struct usb_descriptor_ite
if (iter->curr_desc >= iter->config_end)
return NULL;
next = (struct usb_descriptor_header*)iter->curr_desc;
// Corrupt descriptor with zero length, cannot continue iterating
if (next->bLength == 0) {
D("usb_descriptor_iter_next got zero length USB descriptor, ending iteration\n");
return NULL;
}
iter->curr_desc += next->bLength;
return next;
}