git.ipfire.org Git - thirdparty/systemd.git/commit

]> git.ipfire.org Git - thirdparty/systemd.git/commit

projects / thirdparty / systemd.git / commit

author	Milan Kyselica <mil.kyselica@gmail.com>
	Thu, 9 Apr 2026 17:45:19 +0000 (19:45 +0200)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Thu, 9 Apr 2026 20:48:09 +0000 (21:48 +0100)
commit	4b32ab5a36aea7752be26c18dabc3a554189b19d
tree	66ffb1edce9ef9c90d2da6ab2da9442a1edae7e2	tree \| snapshot
parent	5ade3f6a01c6a67332f6838428d28d8307283c83	commit \| diff

udev: fix bounds check in dev_if_packed_info()

The check compared bLength against (size - sizeof(descriptor)), which
is an absolute limit unrelated to the current buffer position. Since
bLength is uint8_t (max 255), this can never exceed size - 9 for any
realistic input, making the check dead code.

Use (size - pos) instead so the check actually catches descriptors
that extend past the end of the read data.

Fixes: https://github.com/systemd/systemd/issues/41570

src/udev/udev-builtin-usb_id.c

diff | blob | blame | history

Unnamed repository; edit this file 'description' to name the repository.

RSS Atom