diff options
author | Marcus Meissner <marcus@jet.franken.de> | 2016-02-22 23:51:13 +0100 |
---|---|---|
committer | Marcus Meissner <marcus@jet.franken.de> | 2016-02-22 23:51:13 +0100 |
commit | c809cca15848737b99f1007779ff70bdf87f125a (patch) | |
tree | d0132d9a543e9807fc56653272ea0730610975f7 /camlibs/ptp2/usb.c | |
parent | 74cd26ec2c4d2f6d5a1d84d404f9e046dbc1c146 (diff) | |
download | libgphoto2-c809cca15848737b99f1007779ff70bdf87f125a.tar.gz |
fixed buffer overreads caused by remote device (AFL)
Diffstat (limited to 'camlibs/ptp2/usb.c')
-rw-r--r-- | camlibs/ptp2/usb.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/camlibs/ptp2/usb.c b/camlibs/ptp2/usb.c index cf840396e..901f7a057 100644 --- a/camlibs/ptp2/usb.c +++ b/camlibs/ptp2/usb.c @@ -1,7 +1,7 @@ /* usb.c * * Copyright (C) 2001-2004 Mariusz Woloszyn <emsi@ipartners.pl> - * Copyright (C) 2003-2014 Marcus Meissner <marcus@jet.franken.de> + * Copyright (C) 2003-2016 Marcus Meissner <marcus@jet.franken.de> * Copyright (C) 2006-2007 Linus Walleij <triad@df.lth.se> * * This library is free software; you can redistribute it and/or @@ -262,8 +262,19 @@ ptp_usb_getdata (PTPParams* params, PTPContainer* ptp, PTPDataHandler *handler) goto exit; if (dtoh16(usbdata.type) != PTP_USB_CONTAINER_DATA) { /* We might have got a response instead. On error for instance. */ - /* TODO: check if bytes_read == usbdata.length */ if (dtoh16(usbdata.type) == PTP_USB_CONTAINER_RESPONSE) { + /* responses are short and we should have it as-is right now */ + if (bytes_read != dtoh32(usbdata.length)) { + GP_LOG_E ("Read broken ptp response in data phase, read %d vs %d", bytes_read, dtoh32(usbdata.length)); + ret = PTP_ERROR_IO; + goto exit; + } + if (dtoh32(usbdata.length) > sizeof(usbdata)) { + GP_LOG_E ("Read too large ptp response in data phase, packet %d bytes large", dtoh32(usbdata.length)); + ret = PTP_ERROR_IO; + goto exit; + } + /* FIXME: maximum size of response packet perhaps ? */ params->response_packet = malloc(dtoh32(usbdata.length)); if (!params->response_packet) return PTP_RC_GeneralError; memcpy(params->response_packet, (uint8_t *) &usbdata, dtoh32(usbdata.length)); |