CVS commit: src/sys/dev/usb

Sun, 17 Apr 2022 06:15:17 -0700 

Module Name:    src
Committed By:   riastradh
Date:           Sun Apr 17 13:15:05 UTC 2022

Modified Files:
        src/sys/dev/usb: uvideo.c

Log Message:
uvideo(4): Avoid printing off the end of truncated descriptors.


To generate a diff of this commit:
cvs rdiff -u -r1.72 -r1.73 src/sys/dev/usb/uvideo.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/dev/usb/uvideo.c
diff -u src/sys/dev/usb/uvideo.c:1.72 src/sys/dev/usb/uvideo.c:1.73
--- src/sys/dev/usb/uvideo.c:1.72	Wed Apr  6 22:01:45 2022
+++ src/sys/dev/usb/uvideo.c	Sun Apr 17 13:15:05 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: uvideo.c,v 1.72 2022/04/06 22:01:45 mlelstv Exp $	*/
+/*	$NetBSD: uvideo.c,v 1.73 2022/04/17 13:15:05 riastradh Exp $	*/
 
 /*
  * Copyright (c) 2008 Patrick Mahoney
@@ -42,7 +42,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvideo.c,v 1.72 2022/04/06 22:01:45 mlelstv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvideo.c,v 1.73 2022/04/17 13:15:05 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_usb.h"
@@ -2458,6 +2458,11 @@ print_descriptor(const usb_descriptor_t 
 
 	if (desc->bDescriptorType == UDESC_INTERFACE) {
 		const usb_interface_descriptor_t *id;
+
+		if (desc->bLength < sizeof(*id)) {
+			printf("[truncated interface]\n");
+			return;
+		}
 		id = (const usb_interface_descriptor_t *)desc;
 		current_class = id->bInterfaceClass;
 		current_subclass = id->bInterfaceSubClass;
@@ -2498,22 +2503,45 @@ print_vc_descriptor(const usb_descriptor
 
 	switch (desc->bDescriptorType) {
 	case UDESC_ENDPOINT:
+		if (desc->bLength < sizeof(usb_endpoint_descriptor_t)) {
+			printf("[truncated endpoint]");
+			break;
+		}
 		print_endpoint_descriptor(
 			(const usb_endpoint_descriptor_t *)desc);
 		break;
 	case UDESC_CS_INTERFACE:
+		if (desc->bLength < sizeof(*vcdesc)) {
+			printf("[truncated class-specific]");
+			break;
+		}
 		vcdesc = (const uvideo_descriptor_t *)desc;
 		switch (vcdesc->bDescriptorSubtype) {
 		case UDESC_VC_HEADER:
+			if (desc->bLength <
+			    sizeof(uvideo_vc_header_descriptor_t)) {
+				printf("[truncated videocontrol header]");
+				break;
+			}
 			print_vc_header_descriptor(
 			  (const uvideo_vc_header_descriptor_t *)
 				vcdesc);
 			break;
 		case UDESC_INPUT_TERMINAL:
+			if (desc->bLength <
+			    sizeof(uvideo_input_terminal_descriptor_t)) {
+				printf("[truncated input terminal]");
+				break;
+			}
 			switch (UGETW(
 			   ((const uvideo_input_terminal_descriptor_t *)
 				    vcdesc)->wTerminalType)) {
 			case UVIDEO_ITT_CAMERA:
+				if (desc->bLength <
+				    sizeof(uvideo_camera_terminal_descriptor_t)) {
+					printf("[truncated camera terminal]");
+					break;
+				}
 				print_camera_terminal_descriptor(
 			  (const uvideo_camera_terminal_descriptor_t *)vcdesc);
 				break;
@@ -2524,21 +2552,41 @@ print_vc_descriptor(const usb_descriptor
 			}
 			break;
 		case UDESC_OUTPUT_TERMINAL:
+			if (desc->bLength <
+			    sizeof(uvideo_output_terminal_descriptor_t)) {
+				printf("[truncated output terminal]");
+				break;
+			}
 			print_output_terminal_descriptor(
 				(const uvideo_output_terminal_descriptor_t *)
 				vcdesc);
 			break;
 		case UDESC_SELECTOR_UNIT:
+			if (desc->bLength <
+			    sizeof(uvideo_selector_unit_descriptor_t)) {
+				printf("[truncated selector unit]");
+				break;
+			}
 			print_selector_unit_descriptor(
 				(const uvideo_selector_unit_descriptor_t *)
 				vcdesc);
 			break;
 		case UDESC_PROCESSING_UNIT:
+			if (desc->bLength <
+			    sizeof(uvideo_processing_unit_descriptor_t)) {
+				printf("[truncated processing unit]");
+				break;
+			}
 			print_processing_unit_descriptor(
 				(const uvideo_processing_unit_descriptor_t *)
 				vcdesc);
 			break;
 		case UDESC_EXTENSION_UNIT:
+			if (desc->bLength <
+			    sizeof(uvideo_extension_unit_descriptor_t)) {
+				printf("[truncated extension unit]");
+				break;
+			}
 			print_extension_unit_descriptor(
 				(const uvideo_extension_unit_descriptor_t *)
 				vcdesc);
@@ -2553,9 +2601,19 @@ print_vc_descriptor(const usb_descriptor
 		}
 		break;
 	case UDESC_CS_ENDPOINT:
+		if (desc->bLength < sizeof(*vcdesc)) {
+			printf("[truncated class-specific]");
+			break;
+		}
 		vcdesc = (const uvideo_descriptor_t *)desc;
 		switch (vcdesc->bDescriptorSubtype) {
 		case UDESC_VC_INTERRUPT_ENDPOINT:
+			if (desc->bLength <
+			    sizeof(uvideo_vc_interrupt_endpoint_descriptor_t)) {
+				printf("[truncated "
+				    "videocontrol interrupt endpoint]");
+				break;
+			}
 			print_interrupt_endpoint_descriptor(
 			    (const uvideo_vc_interrupt_endpoint_descriptor_t *)
 				vcdesc);
@@ -2584,43 +2642,91 @@ print_vs_descriptor(const usb_descriptor
 
 	switch (desc->bDescriptorType) {
 	case UDESC_ENDPOINT:
+		if (desc->bLength < sizeof(usb_endpoint_descriptor_t)) {
+			printf("[truncated endpoint]");
+			break;
+		}
 		print_endpoint_descriptor(
 			(const usb_endpoint_descriptor_t *)desc);
 		break;
 	case UDESC_CS_INTERFACE:
+		if (desc->bLength < sizeof(*vsdesc)) {
+			printf("[truncated class-specific]");
+			break;
+		}
 		vsdesc = (const uvideo_descriptor_t *)desc;
 		switch (vsdesc->bDescriptorSubtype) {
 		case UDESC_VS_INPUT_HEADER:
+			if (desc->bLength <
+			    sizeof(uvideo_vs_input_header_descriptor_t)) {
+				printf("[truncated videostream input header]");
+				break;
+			}
 			print_vs_input_header_descriptor(
 			 (const uvideo_vs_input_header_descriptor_t *)
 				vsdesc);
 			break;
 		case UDESC_VS_OUTPUT_HEADER:
+			if (desc->bLength <
+			    sizeof(uvideo_vs_output_header_descriptor_t)) {
+				printf("[truncated "
+				    "videostream output header]");
+				break;
+			}
 			print_vs_output_header_descriptor(
 			(const uvideo_vs_output_header_descriptor_t *)
 				vsdesc);
 			break;
 		case UDESC_VS_FORMAT_UNCOMPRESSED:
+			if (desc->bLength <
+			    sizeof(uvideo_vs_format_uncompressed_descriptor_t))
+			{
+				printf("[truncated "
+				    "videostream format uncompressed]");
+				break;
+			}
 			print_vs_format_uncompressed_descriptor(
 			   (const uvideo_vs_format_uncompressed_descriptor_t *)
 				vsdesc);
 			break;
 		case UDESC_VS_FRAME_UNCOMPRESSED:
+			if (desc->bLength <
+			    sizeof(uvideo_vs_frame_uncompressed_descriptor_t))
+			{
+				printf("[truncated "
+				    "videostream frame uncompressed]");
+				break;
+			}
 			print_vs_frame_uncompressed_descriptor(
 			    (const uvideo_vs_frame_uncompressed_descriptor_t *)
 				vsdesc);
 			break;
 		case UDESC_VS_FORMAT_MJPEG:
+			if (desc->bLength <
+			    sizeof(uvideo_vs_format_mjpeg_descriptor_t)) {
+				printf("[truncated videostream format mjpeg]");
+				break;
+			}
 			print_vs_format_mjpeg_descriptor(
 				(const uvideo_vs_format_mjpeg_descriptor_t *)
 				vsdesc);
 			break;
 		case UDESC_VS_FRAME_MJPEG:
+			if (desc->bLength <
+			    sizeof(uvideo_vs_frame_mjpeg_descriptor_t)) {
+				printf("[truncated videostream frame mjpeg]");
+				break;
+			}
 			print_vs_frame_mjpeg_descriptor(
 				(const uvideo_vs_frame_mjpeg_descriptor_t *)
 				vsdesc);
 			break;
 		case UDESC_VS_FORMAT_DV:
+			if (desc->bLength <
+			    sizeof(uvideo_vs_format_dv_descriptor_t)) {
+				printf("[truncated videostream format dv]");
+				break;
+			}
 			print_vs_format_dv_descriptor(
 				(const uvideo_vs_format_dv_descriptor_t *)
 				vsdesc);

Reply via email to