packages/usbredir
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
usbredir/0007-Fix-some-issues-detected-by-fuzzer.patch
wguanghao 557c99b566 fix memleak in fuzz-test
2021-12-24 16:19:25 +08:00

56 lines
2.0 KiB
Diff
Raw Permalink Blame History

From f2d7dab7119615ab092e3feac2f69dc7b31e94a5 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Mon, 13 Sep 2021 15:12:43 +0100
Subject: [PATCH] Fix some issues detected by fuzzer
If we fail to unserialize data we need to reset data to avoid
invalid state.
We can accept data only if we had data (data_len > 0), otherwise
reset it.
This also fixes https://gitlab.freedesktop.org/spice/usbredir/-/issues/21.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
---
usbredirparser/usbredirparser.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/usbredirparser/usbredirparser.c b/usbredirparser/usbredirparser.c
index a0312fb..f9a95e0 100644
--- a/usbredirparser/usbredirparser.c
+++ b/usbredirparser/usbredirparser.c
@@ -1748,6 +1748,7 @@ int usbredirparser_unserialize(struct usbredirparser *parser_pub,
if (unserialize_data(parser, &state, &remain, &data, &i, "header"))
return -1;
parser->header_read = i;
+ parser->type_header_len = 0;
/* Set various length field froms the header (if we've a header) */
if (parser->header_read == header_len) {
@@ -1782,14 +1783,20 @@ int usbredirparser_unserialize(struct usbredirparser *parser_pub,
}
}
i = parser->data_len;
- if (unserialize_data(parser, &state, &remain, &parser->data, &i, "data"))
+ if (unserialize_data(parser, &state, &remain, &parser->data, &i, "data")) {
+ free(parser->data);
+ parser->data = NULL;
+ parser->data_len = 0;
return -1;
+ }
if (parser->header_read == header_len &&
- parser->type_header_read == parser->type_header_len) {
+ parser->type_header_read == parser->type_header_len &&
+ parser->data_len > 0) {
parser->data_read = i;
} else if (parser->data != NULL) {
free(parser->data);
parser->data = NULL;
+ parser->data_len = 0;
}
/* Get the write buffer count and the write buffers */
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink