Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 43d246c5 authored by Jacob Abrams's avatar Jacob Abrams
Browse files

Prevent infinite loop on zero length USB descriptors 

If a USB device descriptor has zero length it is invalid and iteration
should stop otherwise the code iterating will go into an infinite loop.

Bug: 149986186
Test: attach bad USB device with invalid descriptor length 0 then attach
a good USB device and ensure it is recognized properly

Change-Id: I7571a6357bdc13af221cf8be01eba16f5bc976a3
parent 3c0e06d8

libusbhost/usbhost.c

+5 −0
Original line number Diff line number Diff line
@@ -597,6 +597,11 @@ struct usb_descriptor_header *usb_descriptor_iter_next(struct usb_descriptor_ite 
    if (iter->curr_desc >= iter->config_end)

        return NULL;

    next = (struct usb_descriptor_header*)iter->curr_desc;

    // Corrupt descriptor with zero length, cannot continue iterating

    if (next->bLength == 0) {

       D("usb_descriptor_iter_next got zero length USB descriptor, ending iteration\n");

       return NULL;

    }

    iter->curr_desc += next->bLength;

    return next;

}