-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bounded flexible arrays: tag their element count #1409
base: master
Are you sure you want to change the base?
Conversation
Strange that umockdev_test failed in the CI for Linux. |
Can we isolate the bug fix for 1.0.27 and take the rest afterwards? |
First I need someone to review the WIP and tell me if I'm even correct or not. :)
Sure, I can split them. |
bc32800
to
bc06769
Compare
OK, so what you are saying is that if the device erroneously returns a string descriptor with an odd bLength, we would be reading a byte too much from the descriptor buffer, and if bLength=255 also beyond the buffer? We are already issuing a warning on odd bLength, maybe we should just round bLength down to nearest even number before decoding the 16-bit characters? Well, maybe that's what your si_max is doing? :) Do we need all the size_of's? Is it even relevant what the storage size is, if we index them properly? si and di are definitely source respectively destination index. di was used when reading from the source buffer because the latter is an array of 16-bit characters, as noted in a comment since it is a bit counter-intuitive. I guess in your version we wouldn't need both si and di. |
Yes. It came about trying to figure out the count of
Correct. But it's just a warning and doesn't change the buffer read size.
Exactly.
You mean struct usbi_string_descriptor {
uint8_t bLength;
uint8_t bDescriptorType;
uint16_t wData[LIBUSB_FLEXIBLE_ARRAY] LIBUSB_COUNTED_BY((bLength - 2) / 2);
} LIBUSB_PACKED; Since compilers don't support it yet, I'm not sure how complicated the expressions within the 'counted_by' attribute can be...
Thanks for confirming.
Yeah. The source and destination buffers need not be the same size though, so I think it's much safer that they be individually indexed. |
So assuming my analysis is correct here... I'll split this PR into 2 now... |
bc06769
to
ac68a72
Compare
Done: #1432 |
I will pick the LIBUSB_FLEXIBLE_ARRAY rename commit. |
This reflects the C99 terminology, instead of the old hack of using a zero sized array. Also adds the LIBUSB prefix to avoid namespace colisions, as this is present in a public header. References libusb#1409
Thanks to Sean McBride for analysis. References libusb#1409
Looks like clang master just got |
This reflects the C99 terminology, instead of the old hack of using a zero sized array. Also adds the LIBUSB prefix to avoid namespace colisions, as this is present in a public header. References #1409
3c19ac3
to
28394f4
Compare
So I've tried it with clang, and it works except it doesn't allow even simple expressions, so things like |
28394f4
to
76eabb1
Compare
76eabb1
to
2e76f30
Compare
2e76f30
to
9982447
Compare
This will allow catching array overruns with UBSan. See: https://people.kernel.org/kees/bounded-flexible-arrays-in-c
9982447
to
45e563c
Compare
I took a stab at preparing for gcc/clang adding support for bounds checking of flexible arrays, see:
https://people.kernel.org/kees/bounded-flexible-arrays-in-c
And I think I found a small buffer overread in the process...