diff options
author | Frediano Ziglio <freddy77@gmail.com> | 2021-09-09 11:02:24 +0100 |
---|---|---|
committer | Frediano Ziglio <freddy77@gmail.com> | 2021-12-30 16:25:05 +0000 |
commit | 9426fdb1a5d362b51c2c946681e94dba7e3bf3d9 (patch) | |
tree | b3c378b3940c5effb8a16e5dc653a178bfd1e067 | |
parent | bc64f5e23eeb6cf144649de3a85fe85d1347c52d (diff) |
Check header length unserialising data
Avoid unwanted packets.
The test for header length is moved outside the if.
If the header is not complete the number will contain 0 bytes so
a smaller number.
This avoids potential excessive allocations if the header length is
very high.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
-rw-r--r-- | usbredirparser/usbredirparser.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/usbredirparser/usbredirparser.c b/usbredirparser/usbredirparser.c index b36608a..cd1136b 100644 --- a/usbredirparser/usbredirparser.c +++ b/usbredirparser/usbredirparser.c @@ -1881,21 +1881,22 @@ int usbredirparser_unserialize(struct usbredirparser *parser_pub, header_len = usbredirparser_get_header_len(parser_pub); data = (uint8_t *)&parser->header; i = header_len; + memset(&parser->header, 0, sizeof(parser->header)); if (unserialize_data(parser, &state, &remain, &data, &i, "header")) { usbredirparser_assert_invariants(parser); return -1; } + if (parser->header.length > MAX_PACKET_SIZE) { + ERROR("packet length of %d larger than permitted %d bytes", + parser->header.length, MAX_PACKET_SIZE); + usbredirparser_assert_invariants(parser); + return -1; + } parser->header_read = i; parser->type_header_len = 0; /* Set various length field from the header (if any) */ if (parser->header_read == header_len) { - if (parser->header.length > MAX_PACKET_SIZE) { - ERROR("packet length of %d larger than permitted %d bytes", - parser->header.length, MAX_PACKET_SIZE); - return -1; - } - int type_header_len = usbredirparser_get_type_header_len(parser_pub, parser->header.type, 0); |