SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2008, 09:30 AM
| ||||
| ||||
 Re: usbf buffer overflow Marc Winiger wrote: > Copying a string larger than USB_MAX_STRING_LEN - 1 produces a buffer > overflow. > > Marc > > > Index: usbf_subr.c > ================================================== ================= > RCS file: /var/cvs/src/sys/dev/usb/usbf_subr.c,v > retrieving revision 1.9 > diff -u -r1.9 usbf_subr.c > --- usbf_subr.c 15 Jun 2007 11:41:48 -0000 1.9 > +++ usbf_subr.c 23 Jul 2007 20:37:40 -0000 > @@ -308,8 +308,8 @@ > dev->string_id == USBF_STRING_ID_MAX) > return USBF_EMPTY_STRING_ID; > > - if ((len = strlen(string)) > USB_MAX_STRING_LEN) > - len = USB_MAX_STRING_LEN; > + if ((len = strlen(string)) >= USB_MAX_STRING_LEN) > + len = USB_MAX_STRING_LEN - 1; > > oldsize = dev->sdesc_size; > newsize = oldsize + 2 + 2 * len; > @@ -322,7 +322,7 @@ > sd = (usb_string_descriptor_t *)((char *)sd + oldsize); > sd->bLength = newsize - oldsize; calculation of bLength is borked as well. bLength is a one byte value, if len is 127 (USB_MAX_STRING_LEN - 1), then 2 + 2 * len will be 256 which is out of range for a one byte value. The largest string that will work as string descriptor is 126 bytes (excl. the terminating '\0'). USB_MAX_STRING_LEN probably needs to be adjusted in usb.h as well as the definition of the usb_string_descriptor_t, which looks wrong as well. > sd->bDescriptorType = UDESC_STRING; > - for (i = 0; string[i] != '\0'; i++) > + for (i = 0; string[i] != '\0' && i < len; i++) > USETW(sd->bString[i], string[i]); this looks correct. > > id = dev->string_id++;      |
Linear Mode
