That is a problem. Forgot to fix that in the final patch. I will send
out the fix tomorrow.
On Mar 9, 2009, at 3:16 PM, Martin Koegler wrote:
> I noticed a problem with libusb 1.0 for darwin:
> darwin_get_config_descriptor dereferences (*(priv->device)).
> It assumes, that priv->device (and *(priv->device)) is never NULL.
> This is not true:
> darwin_open sets device to NULL in its error path.
> If I understand the code correctly, process_new_device never sets this
> field when adding new devices, which means it is initialised to zero.
> So calling libusb_get_config_descriptor on a never opened device
> should crash the application.
> mfg Martin Kögler
> PS: Please CC me on replies
Fixed in attached patch.
On Thursday, March 12, 2009, at 12:07AM, "Martin Koegler" <mkoegler@...> wrote:
>On Wed, Mar 11, 2009 at 10:56:24PM -0600, Nathan Hjelm wrote:
>> That is a problem. Forgot to fix that in the final patch. I will send
>> out the fix tomorrow.
>Can you please look in
>static int darwin_get_config_descriptor(struct libusb_device *dev, uint8_t config_index, unsigned char *buffer, size_t len, int *host_endian)
> /* sanity check. is the buffer larger than the returned descriptor */
> if (len > sizeof (*desc))
> len = sizeof (*desc);
>In my option, this code is wrong too, as it limits the copy operation
>to header of the data.
>mfg Martin Kögler