usbmisc: don't take string's length at face value

cbiffle commented 4 years ago

This fixes a read out of bounds when a misbehaving USB device describes its string as being longer than what it actually sends back. Noticed this because libusb kept saying things like

  iManufacturer           1 YOURMOᱡ啰ｨ喷
  iProduct                1 YOURMOᱡ啰ｨ喷
  iSerial                 1 YOURMOᱡ啰ｨ喷
    ...
    iConfiguration          1 YOURMOᱡｩ喷

Notice how the same string changes? That's because it's actually only six characters long; the rest is uninitialized stack memory.

Such malformed strings now print as (error).

Signed-off-by: Cliff L. Biffle code@cliffle.com

cbiffle commented 3 years ago

Is this repo a mirror, and I need to go elsewhere? This patch fixes a use of uninitialized stack memory controlled by data sent back by the device...

tormodvolden commented 3 years ago

Would it be an alternative to truncate the string to what is sent back and only add "(truncated)" or "(malformed descriptor)" or something? Strictly it is an error but if the user wants to get as much information as possible from the device, we could be helpful.

gregkh commented 3 years ago

Should now be fixed with e3a98cd4870e ("usbmisc: initialize string buffer before reading from device.") instead.

Thanks for reporting this!

gregkh / usbutils

usbmisc: don't take string's length at face value #109