WIP: buffer overread

The first iteration of this loop was safe because the beginning of the function checked that `size` is at least LIBUSB_DT_CONFIG_SIZE (9) bytes long. But for subsequent iterations, it's unclear...
libusb · Feb 7, 2024 · 83942ce · 83942ce
1 parent cb78999
commit 83942ce
Showing 1 changed file with 10 additions and 7 deletions.
diff --git a/libusb/descriptor.c b/libusb/descriptor.c
@@ -1245,7 +1245,7 @@ static int parse_iad_array(struct libusb_context *ctx,
 	while (consumed < size) {
 		header.bLength = buf[0];
 		header.bDescriptorType = buf[1];
-		if (header.bLength < 2) {
+		if (header.bLength < sizeof(struct usbi_descriptor_header)) {
 			usbi_err(ctx, "invalid descriptor bLength %d",
 				 header.bLength);
 			return LIBUSB_ERROR_IO;
@@ -1270,12 +1270,12 @@ static int parse_iad_array(struct libusb_context *ctx,
 		iad_array->iad = iad;
 
 		// Second pass: Iterate through desc list, fill IAD structures
-		consumed = 0;
+		int remaining = size;
 		i = 0;
-		while (consumed < size) {
+		do {
 			header.bLength = buffer[0];
 			header.bDescriptorType = buffer[1];
-			if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION) {
+			if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION && (remaining >= 8)) {
 				iad[i].bLength = buffer[0];
 				iad[i].bDescriptorType = buffer[1];
 				iad[i].bFirstInterface = buffer[2];
@@ -1286,10 +1286,13 @@ static int parse_iad_array(struct libusb_context *ctx,
 				iad[i].iFunction = buffer[7];
 				i++;
 			}
-
+
+			remaining -= header.bLength;
+			if (remaining < 2) {
+				break;
+			}
 			buffer += header.bLength;
-			consumed += header.bLength;
-		}
+		} while (1);
 	}
 
 	return LIBUSB_SUCCESS;