Security fix: check cumulative packet size for split device packets

author: Hector Martin 2010-01-23 23:08:35 +0100
committer: Hector Martin 2010-01-24 00:20:01 +0100
commit: 68729a347011a8fb39f1e4aa35ae06c4f2f491d4 (patch)
tree: 47835492a322b8c9a03f8ae79d5ff2593ca3a615 /daemon/device.c
parent: 11a0f473b5c12a6c0105e8b785e6744d8f23aee3 (diff)
download: usbmuxd-68729a347011a8fb39f1e4aa35ae06c4f2f491d4.tar.gz
usbmuxd-68729a347011a8fb39f1e4aa35ae06c4f2f491d4.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/daemon/device.c b/daemon/device.c
index 00c0340..7cda462 100644
--- a/daemon/device.c
+++ b/daemon/device.c
@@ -552,6 +552,11 @@ void device_data_input(struct usb_device *usbdev, unsigned char *buffer, int len
 
 	// handle broken up transfers
 	if(dev->pktlen) {
+		if((length + dev->pktlen) > DEV_PKTBUF_SIZE) {
+			usbmuxd_log(LL_ERROR, "Incoming split packet is too large (%d so far), dropping!", length + dev->pktlen);
+			dev->pktlen = 0;
+			return;
+		}
 		memcpy(dev->pktbuf + dev->pktlen, buffer, length);
 		struct mux_header *mhdr = (struct mux_header *)dev->pktbuf;
 		if((length < USB_MRU) || (ntohl(mhdr->length) == length)) {
author	Hector Martin	2010-01-23 23:08:35 +0100
committer	Hector Martin	2010-01-24 00:20:01 +0100
commit	68729a347011a8fb39f1e4aa35ae06c4f2f491d4 (patch)
tree	47835492a322b8c9a03f8ae79d5ff2593ca3a615 /daemon/device.c
parent	11a0f473b5c12a6c0105e8b785e6744d8f23aee3 (diff)
download	usbmuxd-68729a347011a8fb39f1e4aa35ae06c4f2f491d4.tar.gz usbmuxd-68729a347011a8fb39f1e4aa35ae06c4f2f491d4.tar.bz2