diff options
| author | Frediano Ziglio <freddy77@gmail.com> | 2021-09-13 15:12:43 +0100 |
|---|---|---|
| committer | Frediano Ziglio <freddy77@gmail.com> | 2021-10-02 16:39:38 +0100 |
| commit | fb6cb7fa674128e1fa3c3844940890fa6e562723 (patch) | |
| tree | 1901d2065dbb1a2c8935b6a5e3307a7abfe8b7a9 | |
| parent | 2e92b52dd511cb8567ff6c4e294273e0ba216349 (diff) | |
Fix some issues detected by fuzzer
If we fail to unserialize data we need to reset data to avoid
invalid state.
We can accept data only if we had data (data_len > 0), otherwise
reset it.
This also fixes https://gitlab.freedesktop.org/spice/usbredir/-/issues/21.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
| -rw-r--r-- | usbredirparser/usbredirparser.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/usbredirparser/usbredirparser.c b/usbredirparser/usbredirparser.c index 363b976..e4d5f0e 100644 --- a/usbredirparser/usbredirparser.c +++ b/usbredirparser/usbredirparser.c @@ -1864,6 +1864,7 @@ int usbredirparser_unserialize(struct usbredirparser *parser_pub, return -1; } parser->header_read = i; + parser->type_header_len = 0; /* Set various length field from the header (if any) */ if (parser->header_read == header_len) { @@ -1911,15 +1912,20 @@ int usbredirparser_unserialize(struct usbredirparser *parser_pub, } i = parser->data_len; if (unserialize_data(parser, &state, &remain, &parser->data, &i, "data")) { + free(parser->data); + parser->data = NULL; + parser->data_len = 0; usbredirparser_assert_invariants(parser); return -1; } if (parser->header_read == header_len && - parser->type_header_read == parser->type_header_len) { + parser->type_header_read == parser->type_header_len && + parser->data_len > 0) { parser->data_read = i; } else if (parser->data != NULL) { free(parser->data); parser->data = NULL; + parser->data_len = 0; } /* Get the write buffer count and the write buffers */ |