diff options
author | Daniel Dressler <danieru.dressler@gmail.com> | 2014-07-17 13:22:14 -0600 |
---|---|---|
committer | Daniel Dressler <danieru.dressler@gmail.com> | 2014-07-17 13:22:14 -0600 |
commit | 98b2e3c59727101531418bb7f88001dbb069c213 (patch) | |
tree | 407c23675f6084bfe64134964ef8e1e11376c1f8 /src | |
parent | 0bf230b0638af1ba148f15bfdd93fbdf72bdaf0a (diff) |
Fix out-of-array-bounds access
Diffstat (limited to 'src')
-rw-r--r-- | src/ippusbxd.c | 27 | ||||
-rw-r--r-- | src/tcp.c | 2 | ||||
-rw-r--r-- | src/usb.c | 11 |
3 files changed, 22 insertions, 18 deletions
diff --git a/src/ippusbxd.c b/src/ippusbxd.c index d000e69..7539697 100644 --- a/src/ippusbxd.c +++ b/src/ippusbxd.c @@ -23,17 +23,19 @@ static void *service_connection(void *arg_void) // clasify priority while (!arg->tcp->is_closed) { struct usb_conn_t *usb = NULL; + struct http_message_t *server_msg = NULL; + struct http_message_t *client_msg = NULL; // Client's request - struct http_message_t *msg = http_message_new(); - if (msg == NULL) { + client_msg = http_message_new(); + if (client_msg == NULL) { ERR("Failed to create message"); break; } - while (!msg->is_completed) { + while (!client_msg->is_completed) { struct http_packet_t *pkt; - pkt = tcp_packet_get(arg->tcp, msg); + pkt = tcp_packet_get(arg->tcp, client_msg); if (pkt == NULL) break; if (usb == NULL) { @@ -49,17 +51,18 @@ static void *service_connection(void *arg_void) usb_conn_packet_send(usb, pkt); packet_free(pkt); } - message_free(msg); + message_free(client_msg); + client_msg = NULL; // Server's responce - msg = http_message_new(); - if (msg == NULL) { + server_msg = http_message_new(); + if (server_msg == NULL) { ERR("Failed to create message"); goto cleanup_subconn; } - while (!msg->is_completed) { + while (!server_msg->is_completed) { struct http_packet_t *pkt; - pkt = usb_conn_packet_get(usb, msg); + pkt = usb_conn_packet_get(usb, server_msg); if (pkt == NULL) break; @@ -69,8 +72,10 @@ static void *service_connection(void *arg_void) } cleanup_subconn: - if (msg != NULL) - message_free(msg); + if (client_msg != NULL) + message_free(client_msg); + if (server_msg != NULL) + message_free(server_msg); if (usb != NULL) usb_conn_release(usb); } @@ -125,7 +125,7 @@ error: void tcp_packet_send(struct tcp_conn_t *conn, struct http_packet_t *pkt) { send(conn->sd, pkt->buffer, pkt->filled_size, 0); - NOTE("sent %lu bytes over tcp\n", pkt->filled_size); + NOTE("sent %lu bytes over tcp", pkt->filled_size); } @@ -327,9 +327,8 @@ struct usb_conn_t *usb_conn_aquire(struct usb_sock_t *usb, void usb_conn_release(struct usb_conn_t *conn) { - // Return usb interface to pool - uint32_t slot = ++conn->parent->num_avail; + uint32_t slot = conn->parent->num_avail++; conn->parent->interface_pool[slot] = conn->interface_index; // Release our interface lock @@ -347,10 +346,11 @@ void usb_conn_packet_send(struct usb_conn_t *conn, struct http_packet_t *pkt) int timeout = 1000; // in milliseconds size_t sent = 0; size_t pending = pkt->filled_size; - size_t portions = (pkt->filled_size / 512) + 1; + size_t portions = pkt->filled_size / 512; + portions += (pkt->filled_size % 512) > 0 ? 1 : 0; for (size_t i = 0; i < portions; i++) { int to_send = 512; - if (pending <= 512) + if (pending < 512) to_send = (int)pending; int status = libusb_bulk_transfer(conn->parent->printer, @@ -395,7 +395,7 @@ struct http_packet_t *usb_conn_packet_get(struct usb_conn_t *conn, struct http_m &gotten_size, timeout); if (status != 0 && status != LIBUSB_ERROR_TIMEOUT) { ERR("bulk xfer failed with error code %d", status); - ERR("tried reading %ll bytes", read_size); + ERR("tried reading %d bytes", read_size); goto cleanup; } if (gotten_size == 0) { @@ -404,7 +404,6 @@ struct http_packet_t *usb_conn_packet_get(struct usb_conn_t *conn, struct http_m packet_mark_received(pkt, gotten_size); read_size_raw = packet_pending_bytes(pkt); - // TODO: if header not found yet at capacity expand packet } return pkt; |