diff options
| author | Jaap Keuter <jaap.keuter@xs4all.nl> | 2017-05-03 00:19:03 +0200 |
|---|---|---|
| committer | Peter Wu <peter@lekensteyn.nl> | 2017-05-03 09:50:27 +0000 |
| commit | 62adcd6d17f8f2e620045011a816dbbbbb288e85 (patch) | |
| tree | 0fdc3d2fee6e90e310249c662a0eee55868de746 /epan/dissectors/packet-usb.c | |
| parent | 37d0e1b0b7fdfa26efaf5811cb56129e9f72f26e (diff) | |
USB: prevent array bounds overflow from invalid Darwin transfer type
During 'Darwin' transfer type conversion the network data is taken
as-is, without checking validity. This results in indexing errors.
Add validation before using as array index.
Bug: 13676
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1307
Change-Id: I24ca49bb21ba36a8d6a3c078ac2c05ded7b8d382
Reviewed-on: https://code.wireshark.org/review/21470
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Diffstat (limited to 'epan/dissectors/packet-usb.c')
| -rw-r--r-- | epan/dissectors/packet-usb.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/epan/dissectors/packet-usb.c b/epan/dissectors/packet-usb.c index 7d5b359250..942a3528d3 100644 --- a/epan/dissectors/packet-usb.c +++ b/epan/dissectors/packet-usb.c @@ -1355,7 +1355,8 @@ static const guint32 darwin_endpoint_to_linux[] = URB_CONTROL, URB_ISOCHRONOUS, URB_BULK, - URB_INTERRUPT + URB_INTERRUPT, + URB_UNKNOWN }; static value_string_ext usb_darwin_status_vals_ext = VALUE_STRING_EXT_INIT(darwin_usb_status_vals); @@ -3666,11 +3667,11 @@ dissect_darwin_buffer_packet_header(tvbuff_t *tvb, packet_info *pinfo, proto_tre proto_tree_add_uint(tree, hf_usb_darwin_endpoint_address, tvb, 30, 1, endpoint_byte); proto_tree_add_bitmask(tree, tvb, 30, hf_usb_endpoint_number, ett_usb_endpoint, usb_endpoint_fields, ENC_LITTLE_ENDIAN); - transfer_type = tvb_get_guint8(tvb, 31); + transfer_type = MIN(tvb_get_guint8(tvb, 31), G_N_ELEMENTS(darwin_endpoint_to_linux) - 1); usb_conv_info->transfer_type = darwin_endpoint_to_linux[transfer_type]; proto_tree_add_uint(tree, hf_usb_darwin_endpoint_type, tvb, 31, 1, transfer_type); - transfer_type_and_direction = darwin_endpoint_to_linux[transfer_type] | (endpoint_byte & 0x80); + transfer_type_and_direction = (darwin_endpoint_to_linux[transfer_type] & 0x7F) | (endpoint_byte & 0x80); col_append_str(pinfo->cinfo, COL_INFO, val_to_str(transfer_type_and_direction, usb_transfer_type_and_direction_vals, "Unknown type %x")); col_append_str(pinfo->cinfo, COL_INFO, usb_conv_info->is_request == TRUE ? " (submitted)" : " (completed)"); |