diff options
| author |   jsg <jsg@openbsd.org> | 2020-06-05 00:51:56 +0000 |
|---|---|---|
| committer | jsg <jsg@openbsd.org> | 2020-06-05 00:51:56 +0000 |
| commit | 63aecb600ebe6efccef0aa7c10eeef19f29ed515 (patch) | |
| tree | d55fc63bb49f012a3e2d57ac4a57575f0a3f9d4a | |
| parent | HID parser could overflow if a malicious device (potentially USB) provided (diff) | |
| download | wireguard-openbsd-63aecb600ebe6efccef0aa7c10eeef19f29ed515.tar.xz wireguard-openbsd-63aecb600ebe6efccef0aa7c10eeef19f29ed515.zip | |
HID parser could overflow if a malicious device (potentially USB) provided
too many PUSH. report from Andy Nguyen @ google.
fix by jcs
from kernel hid.c rev 1.3
| -rw-r--r-- | lib/libusbhid/parse.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/lib/libusbhid/parse.c b/lib/libusbhid/parse.c index 98f9e196015..7384bf3a591 100644 --- a/lib/libusbhid/parse.c +++ b/lib/libusbhid/parse.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.c,v 1.11 2015/02/04 00:43:45 mpi Exp $ */ +/* $OpenBSD: parse.c,v 1.12 2020/06/05 00:51:56 jsg Exp $ */ /* $NetBSD: parse.c,v 1.2 2001/12/29 20:44:22 augustss Exp $ */ /* @@ -215,6 +215,9 @@ hid_get_item_raw(hid_data_t s, hid_item_t *h) if (s == NULL) return (0); + if (s->pushlevel >= MAXPUSH) + return (0); + c = &s->cur[s->pushlevel]; top: @@ -407,8 +410,8 @@ hid_get_item_raw(hid_data_t s, hid_item_t *h) s->loc_count = dval & mask; break; case 10: /* Push */ - s->pushlevel ++; - if (s->pushlevel < MAXPUSH) { + if (s->pushlevel < MAXPUSH - 1) { + s->pushlevel++; s->cur[s->pushlevel] = *c; /* store size and count */ c->report_size = s->loc_size; @@ -418,8 +421,8 @@ hid_get_item_raw(hid_data_t s, hid_item_t *h) } break; case 11: /* Pop */ - s->pushlevel --; - if (s->pushlevel < MAXPUSH) { + if (s->pushlevel > 0) { + s->pushlevel--; c = &s->cur[s->pushlevel]; /* restore size and count */ s->loc_size = c->report_size; |