diff options
| author | Jonathan Gray <jsg@cvs.openbsd.org> | 2020-06-05 00:51:57 +0000 |
|---|---|---|
| committer | Jonathan Gray <jsg@cvs.openbsd.org> | 2020-06-05 00:51:57 +0000 |
| commit | a9ced0c685df637b922b0cbf1edc2e8b811508a8 (patch) | |
| tree | 2ec343e66e2c63c020a226d044e740ac1cc03115 | |
| parent | 034fddd33c8bc9fbca763130a49399cc17079fda (diff) | |
HID parser could overflow if a malicious device (potentially USB) provided
too many PUSH. report from Andy Nguyen @ google.
fix by jcs
from kernel hid.c rev 1.3
| -rw-r--r-- | lib/libusbhid/parse.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/lib/libusbhid/parse.c b/lib/libusbhid/parse.c index 98f9e196015..7384bf3a591 100644 --- a/lib/libusbhid/parse.c +++ b/lib/libusbhid/parse.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.c,v 1.11 2015/02/04 00:43:45 mpi Exp $ */ +/* $OpenBSD: parse.c,v 1.12 2020/06/05 00:51:56 jsg Exp $ */ /* $NetBSD: parse.c,v 1.2 2001/12/29 20:44:22 augustss Exp $ */ /* @@ -215,6 +215,9 @@ hid_get_item_raw(hid_data_t s, hid_item_t *h) if (s == NULL) return (0); + if (s->pushlevel >= MAXPUSH) + return (0); + c = &s->cur[s->pushlevel]; top: @@ -407,8 +410,8 @@ hid_get_item_raw(hid_data_t s, hid_item_t *h) s->loc_count = dval & mask; break; case 10: /* Push */ - s->pushlevel ++; - if (s->pushlevel < MAXPUSH) { + if (s->pushlevel < MAXPUSH - 1) { + s->pushlevel++; s->cur[s->pushlevel] = *c; /* store size and count */ c->report_size = s->loc_size; @@ -418,8 +421,8 @@ hid_get_item_raw(hid_data_t s, hid_item_t *h) } break; case 11: /* Pop */ - s->pushlevel --; - if (s->pushlevel < MAXPUSH) { + if (s->pushlevel > 0) { + s->pushlevel--; c = &s->cur[s->pushlevel]; /* restore size and count */ s->loc_size = c->report_size; |