udev: properly calculate size of remaining data

The data comes from the kernel, so chances of it being garbled are low, but for correctness' sake, add the check. CID #996458. Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2015-03-13 21:22:02 -0500
committer: Anthony G. Basile <blueness@gentoo.org> 2015-03-18 20:58:30 -0400
commit: 96010518c65de6c7633560d970a4e171f916c6ea (patch)
tree: 1732ad6b33d091ced73f96c69c6451282ea7cde6
parent: 89fe48ab026869f8b76a3b6a7ea89f0d5c772b31 (diff)
1 files changed, 13 insertions, 11 deletions
diff --git a/src/udev/udev-builtin-usb_id.c b/src/udev/udev-builtin-usb_id.c
index 6516d93a3c..e6c27a901f 100644
--- a/src/udev/udev-builtin-usb_id.c
+++ b/src/udev/udev-builtin-usb_id.c
@@ -150,18 +150,18 @@ static int dev_if_packed_info(struct udev_device *dev, char *ifs_str, size_t len
         _cleanup_close_ int fd = -1;
         ssize_t size;
         unsigned char buf[18 + 65535];
-        int pos = 0;
+        size_t pos = 0;
         unsigned strpos = 0;
         struct usb_interface_descriptor {
-                uint8_t        bLength;
-                uint8_t        bDescriptorType;
-                uint8_t        bInterfaceNumber;
-                uint8_t        bAlternateSetting;
-                uint8_t        bNumEndpoints;
-                uint8_t        bInterfaceClass;
-                uint8_t        bInterfaceSubClass;
-                uint8_t        bInterfaceProtocol;
-                uint8_t        iInterface;
+                uint8_t bLength;
+                uint8_t bDescriptorType;
+                uint8_t bInterfaceNumber;
+                uint8_t bAlternateSetting;
+                uint8_t bNumEndpoints;
+                uint8_t bInterfaceClass;
+                uint8_t bInterfaceSubClass;
+                uint8_t bInterfaceProtocol;
+                uint8_t iInterface;
         } _packed_;
 
         if (asprintf(&filename, "%s/descriptors", udev_device_get_syspath(dev)) < 0)
@@ -178,7 +178,9 @@ static int dev_if_packed_info(struct udev_device *dev, char *ifs_str, size_t len
                 return -EIO;
 
         ifs_str[0] = '\0';
-        while (pos < size && strpos+7 < len-2) {
+        while (pos + sizeof(struct usb_interface_descriptor) < (size_t) size &&
+               strpos + 7 < len - 2) {
+
                 struct usb_interface_descriptor *desc;
                 char if_str[8];
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2015-03-13 21:22:02 -0500
committer	Anthony G. Basile <blueness@gentoo.org>	2015-03-18 20:58:30 -0400
commit	96010518c65de6c7633560d970a4e171f916c6ea (patch)
tree	1732ad6b33d091ced73f96c69c6451282ea7cde6
parent	89fe48ab026869f8b76a3b6a7ea89f0d5c772b31 (diff)