From f2d7dab7119615ab092e3feac2f69dc7b31e94a5 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Mon, 13 Sep 2021 15:12:43 +0100 Subject: [PATCH] Fix some issues detected by fuzzer If we fail to unserialize data we need to reset data to avoid invalid state. We can accept data only if we had data (data_len > 0), otherwise reset it. This also fixes https://gitlab.freedesktop.org/spice/usbredir/-/issues/21. Signed-off-by: Frediano Ziglio --- usbredirparser/usbredirparser.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/usbredirparser/usbredirparser.c b/usbredirparser/usbredirparser.c index a0312fb..f9a95e0 100644 --- a/usbredirparser/usbredirparser.c +++ b/usbredirparser/usbredirparser.c @@ -1748,6 +1748,7 @@ int usbredirparser_unserialize(struct usbredirparser *parser_pub, if (unserialize_data(parser, &state, &remain, &data, &i, "header")) return -1; parser->header_read = i; + parser->type_header_len = 0; /* Set various length field froms the header (if we've a header) */ if (parser->header_read == header_len) { @@ -1782,14 +1783,20 @@ int usbredirparser_unserialize(struct usbredirparser *parser_pub, } } i = parser->data_len; - if (unserialize_data(parser, &state, &remain, &parser->data, &i, "data")) + if (unserialize_data(parser, &state, &remain, &parser->data, &i, "data")) { + free(parser->data); + parser->data = NULL; + parser->data_len = 0; return -1; + } if (parser->header_read == header_len && - parser->type_header_read == parser->type_header_len) { + parser->type_header_read == parser->type_header_len && + parser->data_len > 0) { parser->data_read = i; } else if (parser->data != NULL) { free(parser->data); parser->data = NULL; + parser->data_len = 0; } /* Get the write buffer count and the write buffers */ -- 1.8.3.1