Prevent infinite loop on zero length USB descriptors If a USB device descriptor has zero length it is invalid and iteration should stop otherwise the code iterating will go into an infinite loop. Bug: 149986186 Test: attach bad USB device with invalid descriptor length 0 then attach a good USB device and ensure it is recognized properly Change-Id: I7571a6357bdc13af221cf8be01eba16f5bc976a3

commit: 43d246c5c24291bd578eb46cfbc388dc74204db3 [log] [tgz]
author: Jacob Abrams <satur9nine@gmail.com> Fri Feb 21 10:16:16 2020 -0800
committer: Jacob Abrams <satur9nine@gmail.com> Fri Feb 21 11:11:02 2020 -0800
tree: 0fc73bcdf491dc45ee721a0f111d68444efd0b19
parent: 3c0e06d82953fcd1f0211d966868627a709dde25 [diff] [blame]
diff --git a/libusbhost/usbhost.c b/libusbhost/usbhost.c
index 415488f..3bed0e3 100644
--- a/libusbhost/usbhost.c
+++ b/libusbhost/usbhost.c

@@ -597,6 +597,11 @@
     if (iter->curr_desc >= iter->config_end)
         return NULL;
     next = (struct usb_descriptor_header*)iter->curr_desc;
+    // Corrupt descriptor with zero length, cannot continue iterating
+    if (next->bLength == 0) {
+       D("usb_descriptor_iter_next got zero length USB descriptor, ending iteration\n");
+       return NULL;
+    }
     iter->curr_desc += next->bLength;
     return next;
 }
commit	43d246c5c24291bd578eb46cfbc388dc74204db3	[log] [tgz]
author	Jacob Abrams <satur9nine@gmail.com>	Fri Feb 21 10:16:16 2020 -0800
committer	Jacob Abrams <satur9nine@gmail.com>	Fri Feb 21 11:11:02 2020 -0800
tree	0fc73bcdf491dc45ee721a0f111d68444efd0b19
parent	3c0e06d82953fcd1f0211d966868627a709dde25 [diff] [blame]