From fa3880546cc5fa933caa4333f1dbc397a93420b6 Mon Sep 17 00:00:00 2001 From: Diego Ismirlian Date: Mon, 30 Sep 2019 17:48:46 -0300 Subject: USBH: check remaining bytes before dereferencing buffer To avoid accessing unimplemented memory. We rely on the lazy evaluation of the C language. --- os/hal/src/usbh/hal_usbh_desciter.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/os/hal/src/usbh/hal_usbh_desciter.c b/os/hal/src/usbh/hal_usbh_desciter.c index cfce62b..0ccf4e4 100644 --- a/os/hal/src/usbh/hal_usbh_desciter.c +++ b/os/hal/src/usbh/hal_usbh_desciter.c @@ -25,7 +25,7 @@ void cfg_iter_init(generic_iterator_t *icfg, const uint8_t *buff, uint16_t rem) { icfg->valid = 0; - if ((buff[0] < 2) || (rem < 2) || (rem < buff[0]) + if ((rem < 2) || (buff[0] < 2) || (rem < buff[0]) || (buff[0] < USBH_DT_CONFIG_SIZE) || (buff[1] != USBH_DT_CONFIG)) return; @@ -45,14 +45,14 @@ void if_iter_next(if_iterator_t *iif) { iif->valid = 0; - if ((curr[0] < 2) || (rem < 2) || (rem < curr[0])) + if ((rem < 2) || (curr[0] < 2) || (rem < curr[0])) return; for (;;) { rem -= curr[0]; curr += curr[0]; - if ((curr[0] < 2) || (rem < 2) || (rem < curr[0])) + if ((rem < 2) || (curr[0] < 2) || (rem < curr[0])) return; if (curr[1] == USBH_DT_INTERFACE_ASSOCIATION) { @@ -92,14 +92,14 @@ void ep_iter_next(generic_iterator_t *iep) { iep->valid = 0; - if ((curr[0] < 2) || (rem < 2) || (rem < curr[0])) + if ((rem < 2) || (curr[0] < 2) || (rem < curr[0])) return; for (;;) { rem -= curr[0]; curr += curr[0]; - if ((curr[0] < 2) || (rem < 2) || (rem < curr[0])) + if ((rem < 2) || (curr[0] < 2) || (rem < curr[0])) return; if ((curr[1] == USBH_DT_INTERFACE_ASSOCIATION) @@ -131,13 +131,13 @@ void cs_iter_next(generic_iterator_t *ics) { ics->valid = 0; - if ((curr[0] < 2) || (rem < 2) || (rem < curr[0])) + if ((rem < 2) || (curr[0] < 2) || (rem < curr[0])) return; rem -= curr[0]; curr += curr[0]; - if ((curr[0] < 2) || (rem < 2) || (rem < curr[0])) + if ((rem < 2) || (curr[0] < 2) || (rem < curr[0])) return; if ((curr[1] == USBH_DT_INTERFACE_ASSOCIATION) -- cgit v1.2.3