From 68729a347011a8fb39f1e4aa35ae06c4f2f491d4 Mon Sep 17 00:00:00 2001
From: Hector Martin
Date: Sat, 23 Jan 2010 23:08:35 +0100
Subject: Security fix: check cumulative packet size for split device packets

---
 daemon/device.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/daemon/device.c b/daemon/device.c
index 00c0340..7cda462 100644
--- a/daemon/device.c
+++ b/daemon/device.c
@@ -552,6 +552,11 @@ void device_data_input(struct usb_device *usbdev, unsigned char *buffer, int len
 
 	// handle broken up transfers
 	if(dev->pktlen) {
+		if((length + dev->pktlen) > DEV_PKTBUF_SIZE) {
+			usbmuxd_log(LL_ERROR, "Incoming split packet is too large (%d so far), dropping!", length + dev->pktlen);
+			dev->pktlen = 0;
+			return;
+		}
 		memcpy(dev->pktbuf + dev->pktlen, buffer, length);
 		struct mux_header *mhdr = (struct mux_header *)dev->pktbuf;
 		if((length < USB_MRU) || (ntohl(mhdr->length) == length)) {
-- 
cgit v1.1-32-gdbae