From: Zbigniew Jędrzejewski-Szmek Date: Thu, 28 Feb 2019 10:57:51 +0000 (+0100) Subject: udev-builtin-usb_id: guard against overflow when reading descriptor data X-Git-Tag: v242-rc1~221^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F11852%2Fhead;p=thirdparty%2Fsystemd.git udev-builtin-usb_id: guard against overflow when reading descriptor data CID#996458. Coverity warns that we trust desc->bLength as read in the input data to adjust our position in the buffer. This value could be anything, leading to overflow. It's unlikely that the kernel feeds us invalid data, but let's me more careful. If any error is encountered, more logs are given. --- diff --git a/src/udev/udev-builtin-usb_id.c b/src/udev/udev-builtin-usb_id.c index 489b232814f..7bdf6cfbb59 100644 --- a/src/udev/udev-builtin-usb_id.c +++ b/src/udev/udev-builtin-usb_id.c @@ -167,8 +167,10 @@ static int dev_if_packed_info(sd_device *dev, char *ifs_str, size_t len) { return log_device_debug_errno(dev, errno, "Failed to open \"%s\": %m", filename); size = read(fd, buf, sizeof(buf)); - if (size < 18 || (size_t) size >= sizeof(buf)) - return -EIO; + if (size < 18) + return log_device_warning_errno(dev, SYNTHETIC_ERRNO(EIO), + "Short read from \"%s\"", filename); + assert((size_t) size <= sizeof buf); ifs_str[0] = '\0'; while (pos + sizeof(struct usb_interface_descriptor) < (size_t) size && @@ -177,9 +179,12 @@ static int dev_if_packed_info(sd_device *dev, char *ifs_str, size_t len) { struct usb_interface_descriptor *desc; char if_str[8]; - desc = (struct usb_interface_descriptor *) &buf[pos]; + desc = (struct usb_interface_descriptor *) (buf + pos); if (desc->bLength < 3) break; + if (desc->bLength > size - sizeof(struct usb_interface_descriptor)) + return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EIO), + "Corrupt data read from \"%s\"", filename); pos += desc->bLength; if (desc->bDescriptorType != USB_DT_INTERFACE)