|
 |
1069f6 |
From ddf9b3f852c31311f8d726012131f657c9857276 Mon Sep 17 00:00:00 2001
|
|
|
1069f6 |
From: akallabeth <akallabeth@posteo.net>
|
|
|
1069f6 |
Date: Thu, 13 Oct 2022 08:47:51 +0200
|
|
|
1069f6 |
Subject: [PATCH] Fixed missing input buffer length check in urbdrc
|
|
|
1069f6 |
|
|
|
1069f6 |
(cherry picked from commit 497df00f741dd4fc89292aaef2db7368aee45d0d)
|
|
|
1069f6 |
---
|
|
|
1069f6 |
channels/urbdrc/client/data_transfer.c | 20 ++++++++++++++++++++
|
|
|
1069f6 |
1 file changed, 20 insertions(+)
|
|
|
1069f6 |
|
|
|
1069f6 |
diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
|
|
|
1069f6 |
index bb2784055..80e84af48 100644
|
|
|
1069f6 |
--- a/channels/urbdrc/client/data_transfer.c
|
|
|
1069f6 |
+++ b/channels/urbdrc/client/data_transfer.c
|
|
|
1069f6 |
@@ -241,6 +241,10 @@ static UINT urbdrc_process_io_control(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* c
|
|
|
1069f6 |
|
|
|
1069f6 |
Stream_Read_UINT32(s, OutputBufferSize);
|
|
|
1069f6 |
Stream_Read_UINT32(s, RequestId);
|
|
|
1069f6 |
+
|
|
|
1069f6 |
+ if (OutputBufferSize > UINT32_MAX - 4)
|
|
|
1069f6 |
+ return ERROR_INVALID_DATA;
|
|
|
1069f6 |
+
|
|
|
1069f6 |
InterfaceId = ((STREAM_ID_PROXY << 30) | pdev->get_ReqCompletion(pdev));
|
|
|
1069f6 |
out = urb_create_iocompletion(InterfaceId, MessageId, RequestId, OutputBufferSize);
|
|
|
1069f6 |
|
|
|
1069f6 |
@@ -724,6 +728,15 @@ static UINT urb_bulk_or_interrupt_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBA
|
|
|
1069f6 |
Stream_Read_UINT32(s, TransferFlags); /** TransferFlags */
|
|
|
1069f6 |
Stream_Read_UINT32(s, OutputBufferSize);
|
|
|
1069f6 |
EndpointAddress = (PipeHandle & 0x000000ff);
|
|
|
1069f6 |
+
|
|
|
1069f6 |
+ if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
|
|
|
1069f6 |
+ {
|
|
|
1069f6 |
+ if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
|
|
|
1069f6 |
+ {
|
|
|
1069f6 |
+ return ERROR_INVALID_DATA;
|
|
|
1069f6 |
+ }
|
|
|
1069f6 |
+ }
|
|
|
1069f6 |
+
|
|
|
1069f6 |
/** process TS_URB_BULK_OR_INTERRUPT_TRANSFER */
|
|
|
1069f6 |
return pdev->bulk_or_interrupt_transfer(pdev, callback, MessageId, RequestId, EndpointAddress,
|
|
|
1069f6 |
TransferFlags, noAck, OutputBufferSize,
|
|
|
1069f6 |
@@ -808,6 +821,13 @@ static UINT urb_isoch_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callback
|
|
|
1069f6 |
packetDescriptorData = Stream_Pointer(s);
|
|
|
1069f6 |
Stream_Seek(s, NumberOfPackets * 12);
|
|
|
1069f6 |
Stream_Read_UINT32(s, OutputBufferSize);
|
|
|
1069f6 |
+
|
|
|
1069f6 |
+ if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
|
|
|
1069f6 |
+ {
|
|
|
1069f6 |
+ if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
|
|
|
1069f6 |
+ return ERROR_INVALID_DATA;
|
|
|
1069f6 |
+ }
|
|
|
1069f6 |
+
|
|
|
1069f6 |
return pdev->isoch_transfer(
|
|
|
1069f6 |
pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, StartFrame,
|
|
|
1069f6 |
ErrorCount, noAck, packetDescriptorData, NumberOfPackets, OutputBufferSize,
|
|
|
1069f6 |
--
|
|
|
1069f6 |
2.37.1
|
|
|
1069f6 |
|