Fix out-of-array-bounds access

3 files changed, 22 insertions, 18 deletions

diff --git a/src/ippusbxd.c b/src/ippusbxd.c
index d000e69..7539697 100644
--- a/src/ippusbxd.c
+++ b/src/ippusbxd.c
@@ -23,17 +23,19 @@ static void *service_connection(void *arg_void)
 	// clasify priority
 	while (!arg->tcp->is_closed) {
 		struct usb_conn_t *usb = NULL;
+		struct http_message_t *server_msg = NULL;
+		struct http_message_t *client_msg = NULL;
 
 		// Client's request
-		struct http_message_t *msg = http_message_new();
-		if (msg == NULL) {
+		client_msg = http_message_new();
+		if (client_msg == NULL) {
 			ERR("Failed to create message");
 			break;
 		}
 
-		while (!msg->is_completed) {
+		while (!client_msg->is_completed) {
 			struct http_packet_t *pkt;
-			pkt = tcp_packet_get(arg->tcp, msg);
+			pkt = tcp_packet_get(arg->tcp, client_msg);
 			if (pkt == NULL)
 				break;
 			if (usb == NULL) {
@@ -49,17 +51,18 @@ static void *service_connection(void *arg_void)
 			usb_conn_packet_send(usb, pkt);
 			packet_free(pkt);
 		}
-		message_free(msg);
+		message_free(client_msg);
+		client_msg = NULL;
 
 		// Server's responce
-		msg = http_message_new();
-		if (msg == NULL) {
+		server_msg = http_message_new();
+		if (server_msg == NULL) {
 			ERR("Failed to create message");
 			goto cleanup_subconn;
 		}
-		while (!msg->is_completed) {
+		while (!server_msg->is_completed) {
 			struct http_packet_t *pkt;
-			pkt = usb_conn_packet_get(usb, msg);
+			pkt = usb_conn_packet_get(usb, server_msg);
 			if (pkt == NULL)
 				break;
 
@@ -69,8 +72,10 @@ static void *service_connection(void *arg_void)
 		}
 
 cleanup_subconn:
-		if (msg != NULL)
-			message_free(msg);
+		if (client_msg != NULL)
+			message_free(client_msg);
+		if (server_msg != NULL)
+			message_free(server_msg);
 		if (usb != NULL)
 			usb_conn_release(usb);
 	}
diff --git a/src/tcp.c b/src/tcp.c
index 8186356..a736fb3 100644
--- a/src/tcp.c
+++ b/src/tcp.c
@@ -125,7 +125,7 @@ error:
 void tcp_packet_send(struct tcp_conn_t *conn, struct http_packet_t *pkt)
 {
 	send(conn->sd, pkt->buffer, pkt->filled_size, 0);
-	NOTE("sent %lu bytes over tcp\n", pkt->filled_size);
+	NOTE("sent %lu bytes over tcp", pkt->filled_size);
 }
 
 
diff --git a/src/usb.c b/src/usb.c
index ba24298..db61b2f 100644
--- a/src/usb.c
+++ b/src/usb.c
@@ -327,9 +327,8 @@ struct usb_conn_t *usb_conn_aquire(struct usb_sock_t *usb,
 
 void usb_conn_release(struct usb_conn_t *conn)
 {
-
 	// Return usb interface to pool
-	uint32_t slot = ++conn->parent->num_avail;
+	uint32_t slot = conn->parent->num_avail++;
 	conn->parent->interface_pool[slot] = conn->interface_index;
 
 	// Release our interface lock
@@ -347,10 +346,11 @@ void usb_conn_packet_send(struct usb_conn_t *conn, struct http_packet_t *pkt)
 	int timeout = 1000; // in milliseconds
 	size_t sent = 0;
 	size_t pending = pkt->filled_size;
-	size_t portions = (pkt->filled_size / 512) + 1;
+	size_t portions = pkt->filled_size / 512;
+	portions += (pkt->filled_size % 512) > 0 ? 1 : 0;
 	for (size_t i = 0; i < portions; i++) {
 		int to_send = 512;
-		if (pending <= 512)
+		if (pending < 512)
 			to_send = (int)pending;
 
 		int status = libusb_bulk_transfer(conn->parent->printer,
@@ -395,7 +395,7 @@ struct http_packet_t *usb_conn_packet_get(struct usb_conn_t *conn, struct http_m
 		                      &gotten_size, timeout);
 		if (status != 0 && status != LIBUSB_ERROR_TIMEOUT) {
 			ERR("bulk xfer failed with error code %d", status);
-			ERR("tried reading %ll bytes", read_size);
+			ERR("tried reading %d bytes", read_size);
 			goto cleanup;
 		}
 		if (gotten_size == 0) {
@@ -404,7 +404,6 @@ struct http_packet_t *usb_conn_packet_get(struct usb_conn_t *conn, struct http_m
 		packet_mark_received(pkt, gotten_size);
 
 		read_size_raw = packet_pending_bytes(pkt);
-		// TODO: if header not found yet at capacity expand packet
 	}
 
 	return pkt;