Menu
▾
▴
Re: [libusb] #162: libusb_alloc_transfer vulnerable to integer overflow/underflow
|
From: Hans P. S. <hp...@bi...> - 2013-06-20 06:35:45
|
On 06/20/13 05:31, libusb Trac wrote: > #162: libusb_alloc_transfer vulnerable to integer overflow/underflow > -----------------------------------+------------------------ > Reporter: meacer | Owner: > Type: defect | Status: new > Milestone: libusb/libusbx 1.2.0 | Component: libusb-1.0 > Resolution: | Keywords: security > Blocked By: | Blocks: > -----------------------------------+------------------------ > > Comment (by meacer): > > I understand that libusb doesn't do any sanitization. However, it's also > not possible for the user to sanitize input to libusb_alloc_transfer. > The maximum safe allocation size is determined by implementation details > such as sizeof(struct libusb_iso_packet_descriptor). It's not possible for > the client code to know which value of iso_packets will cause an overflow. > This will lead to the client adding arbitrary limits on iso_packets. In > the meanwhile, the actual limit can still change when the implementation > of libusb_alloc_transfer changes. > Maybe libusb should define some limits then as macros? In FreeBSD's libusb we have limits on how many isochronous packets can be allocated, and that is not only due to software reasons. --HPS |
