Menu
▾
▴
Re: [libusb] #162: libusb_alloc_transfer vulnerable to integer overflow/underflow
|
From: libusb T. <tr...@li...> - 2013-06-20 03:31:34
|
#162: libusb_alloc_transfer vulnerable to integer overflow/underflow
-----------------------------------+------------------------
Reporter: meacer | Owner:
Type: defect | Status: new
Milestone: libusb/libusbx 1.2.0 | Component: libusb-1.0
Resolution: | Keywords: security
Blocked By: | Blocks:
-----------------------------------+------------------------
Comment (by meacer):
I understand that libusb doesn't do any sanitization. However, it's also
not possible for the user to sanitize input to libusb_alloc_transfer.
The maximum safe allocation size is determined by implementation details
such as sizeof(struct libusb_iso_packet_descriptor). It's not possible for
the client code to know which value of iso_packets will cause an overflow.
This will lead to the client adding arbitrary limits on iso_packets. In
the meanwhile, the actual limit can still change when the implementation
of libusb_alloc_transfer changes.
--
Ticket URL: <https://libusb.org/ticket/162#comment:10>
libusb <https://libusb.org/>
C library for writing portable USB drivers in userspace
|
