diff options
author | Diego Ismirlian <dismirlian@gmail.com> | 2019-09-30 17:48:46 -0300 |
---|---|---|
committer | Diego Ismirlian <dismirlian@gmail.com> | 2019-10-02 16:57:30 -0300 |
commit | fa3880546cc5fa933caa4333f1dbc397a93420b6 (patch) | |
tree | c27e62b1f6c9c8f4b1b53c1026103e5caa66b26d /os | |
parent | 2cd41f99df0fc857afaef091ca3b984a728d0e3c (diff) | |
download | ChibiOS-Contrib-fa3880546cc5fa933caa4333f1dbc397a93420b6.tar.gz ChibiOS-Contrib-fa3880546cc5fa933caa4333f1dbc397a93420b6.tar.bz2 ChibiOS-Contrib-fa3880546cc5fa933caa4333f1dbc397a93420b6.zip |
USBH: check remaining bytes before dereferencing buffer
To avoid accessing unimplemented memory. We rely on the lazy evaluation
of the C language.
Diffstat (limited to 'os')
-rw-r--r-- | os/hal/src/usbh/hal_usbh_desciter.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/os/hal/src/usbh/hal_usbh_desciter.c b/os/hal/src/usbh/hal_usbh_desciter.c index cfce62b..0ccf4e4 100644 --- a/os/hal/src/usbh/hal_usbh_desciter.c +++ b/os/hal/src/usbh/hal_usbh_desciter.c @@ -25,7 +25,7 @@ void cfg_iter_init(generic_iterator_t *icfg, const uint8_t *buff, uint16_t rem) { icfg->valid = 0; - if ((buff[0] < 2) || (rem < 2) || (rem < buff[0]) + if ((rem < 2) || (buff[0] < 2) || (rem < buff[0]) || (buff[0] < USBH_DT_CONFIG_SIZE) || (buff[1] != USBH_DT_CONFIG)) return; @@ -45,14 +45,14 @@ void if_iter_next(if_iterator_t *iif) { iif->valid = 0; - if ((curr[0] < 2) || (rem < 2) || (rem < curr[0])) + if ((rem < 2) || (curr[0] < 2) || (rem < curr[0])) return; for (;;) { rem -= curr[0]; curr += curr[0]; - if ((curr[0] < 2) || (rem < 2) || (rem < curr[0])) + if ((rem < 2) || (curr[0] < 2) || (rem < curr[0])) return; if (curr[1] == USBH_DT_INTERFACE_ASSOCIATION) { @@ -92,14 +92,14 @@ void ep_iter_next(generic_iterator_t *iep) { iep->valid = 0; - if ((curr[0] < 2) || (rem < 2) || (rem < curr[0])) + if ((rem < 2) || (curr[0] < 2) || (rem < curr[0])) return; for (;;) { rem -= curr[0]; curr += curr[0]; - if ((curr[0] < 2) || (rem < 2) || (rem < curr[0])) + if ((rem < 2) || (curr[0] < 2) || (rem < curr[0])) return; if ((curr[1] == USBH_DT_INTERFACE_ASSOCIATION) @@ -131,13 +131,13 @@ void cs_iter_next(generic_iterator_t *ics) { ics->valid = 0; - if ((curr[0] < 2) || (rem < 2) || (rem < curr[0])) + if ((rem < 2) || (curr[0] < 2) || (rem < curr[0])) return; rem -= curr[0]; curr += curr[0]; - if ((curr[0] < 2) || (rem < 2) || (rem < curr[0])) + if ((rem < 2) || (curr[0] < 2) || (rem < curr[0])) return; if ((curr[1] == USBH_DT_INTERFACE_ASSOCIATION) |