summaryrefslogtreecommitdiff
path: root/Fixed-missing-input-buffer-length-check-in-urbdrc.patch
diff options
context:
space:
mode:
Diffstat (limited to 'Fixed-missing-input-buffer-length-check-in-urbdrc.patch')
-rw-r--r--Fixed-missing-input-buffer-length-check-in-urbdrc.patch58
1 files changed, 58 insertions, 0 deletions
diff --git a/Fixed-missing-input-buffer-length-check-in-urbdrc.patch b/Fixed-missing-input-buffer-length-check-in-urbdrc.patch
new file mode 100644
index 0000000..ea85996
--- /dev/null
+++ b/Fixed-missing-input-buffer-length-check-in-urbdrc.patch
@@ -0,0 +1,58 @@
+From ddf9b3f852c31311f8d726012131f657c9857276 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 13 Oct 2022 08:47:51 +0200
+Subject: [PATCH] Fixed missing input buffer length check in urbdrc
+
+(cherry picked from commit 497df00f741dd4fc89292aaef2db7368aee45d0d)
+---
+ channels/urbdrc/client/data_transfer.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
+index bb2784055..80e84af48 100644
+--- a/channels/urbdrc/client/data_transfer.c
++++ b/channels/urbdrc/client/data_transfer.c
+@@ -241,6 +241,10 @@ static UINT urbdrc_process_io_control(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* c
+
+ Stream_Read_UINT32(s, OutputBufferSize);
+ Stream_Read_UINT32(s, RequestId);
++
++ if (OutputBufferSize > UINT32_MAX - 4)
++ return ERROR_INVALID_DATA;
++
+ InterfaceId = ((STREAM_ID_PROXY << 30) | pdev->get_ReqCompletion(pdev));
+ out = urb_create_iocompletion(InterfaceId, MessageId, RequestId, OutputBufferSize + 4);
+
+@@ -724,6 +728,15 @@ static UINT urb_bulk_or_interrupt_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBA
+ Stream_Read_UINT32(s, TransferFlags); /** TransferFlags */
+ Stream_Read_UINT32(s, OutputBufferSize);
+ EndpointAddress = (PipeHandle & 0x000000ff);
++
++ if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
++ {
++ if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
++ {
++ return ERROR_INVALID_DATA;
++ }
++ }
++
+ /** process TS_URB_BULK_OR_INTERRUPT_TRANSFER */
+ return pdev->bulk_or_interrupt_transfer(
+ pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, noAck,
+@@ -808,6 +821,13 @@ static UINT urb_isoch_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callback
+ packetDescriptorData = Stream_Pointer(s);
+ Stream_Seek(s, NumberOfPackets * 12);
+ Stream_Read_UINT32(s, OutputBufferSize);
++
++ if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
++ {
++ if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
++ return ERROR_INVALID_DATA;
++ }
++
+ return pdev->isoch_transfer(
+ pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, StartFrame,
+ ErrorCount, noAck, packetDescriptorData, NumberOfPackets, OutputBufferSize,
+--
+2.37.1
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-30 12:25:26 +0000