diff options
| author |  Hector Martin | 2010-01-23 23:08:35 +0100 |
|---|---|---|
| committer | Hector Martin | 2010-01-24 00:20:01 +0100 |
| commit | 68729a347011a8fb39f1e4aa35ae06c4f2f491d4 (patch) | |
| tree | 47835492a322b8c9a03f8ae79d5ff2593ca3a615 /daemon | |
| parent | 11a0f473b5c12a6c0105e8b785e6744d8f23aee3 (diff) | |
| download | usbmuxd-68729a347011a8fb39f1e4aa35ae06c4f2f491d4.tar.gz usbmuxd-68729a347011a8fb39f1e4aa35ae06c4f2f491d4.tar.bz2 | |
Security fix: check cumulative packet size for split device packets
Diffstat (limited to 'daemon')
| -rw-r--r-- | daemon/device.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/daemon/device.c b/daemon/device.c index 00c0340..7cda462 100644 --- a/daemon/device.c +++ b/daemon/device.c | |||
| @@ -552,6 +552,11 @@ void device_data_input(struct usb_device *usbdev, unsigned char *buffer, int len | |||
| 552 | 552 | ||
| 553 | // handle broken up transfers | 553 | // handle broken up transfers |
| 554 | if(dev->pktlen) { | 554 | if(dev->pktlen) { |
| 555 | if((length + dev->pktlen) > DEV_PKTBUF_SIZE) { | ||
| 556 | usbmuxd_log(LL_ERROR, "Incoming split packet is too large (%d so far), dropping!", length + dev->pktlen); | ||
| 557 | dev->pktlen = 0; | ||
| 558 | return; | ||
| 559 | } | ||
| 555 | memcpy(dev->pktbuf + dev->pktlen, buffer, length); | 560 | memcpy(dev->pktbuf + dev->pktlen, buffer, length); |
| 556 | struct mux_header *mhdr = (struct mux_header *)dev->pktbuf; | 561 | struct mux_header *mhdr = (struct mux_header *)dev->pktbuf; |
| 557 | if((length < USB_MRU) || (ntohl(mhdr->length) == length)) { | 562 | if((length < USB_MRU) || (ntohl(mhdr->length) == length)) { |