hrev43620 adds 1 changeset to branch 'master' old head: 90b92dab5c83442b688ec80b7c63497ffce9da02 new head: f13be4928b1e32127ce71325fbf50f0e943c0566 ---------------------------------------------------------------------------- f13be49: Pad the transfer buffer to prevent out of bounds access. The HIDReportItem reads 32 bit chunks from the report buffer. To avoid having to check the remaining buffer space on each extraction, we pad the buffer so it is always valid to read 32 bits at a time. Also add a comment explaining why we do it that way. Thanks to Johannes Anderwald for pointing out the potential out of bound access! [ Michael Lotz <mmlr@xxxxxxxx> ] ---------------------------------------------------------------------------- Revision: hrev43620 Commit: f13be4928b1e32127ce71325fbf50f0e943c0566 URL: http://cgit.haiku-os.org/haiku/commit/?id=f13be49 Author: Michael Lotz <mmlr@xxxxxxxx> Date: Wed Jan 4 22:33:07 2012 UTC ---------------------------------------------------------------------------- 1 files changed, 5 insertions(+), 1 deletions(-) .../kernel/drivers/input/usb_hid/HIDDevice.cpp | 6 +++++- ---------------------------------------------------------------------------- diff --git a/src/add-ons/kernel/drivers/input/usb_hid/HIDDevice.cpp b/src/add-ons/kernel/drivers/input/usb_hid/HIDDevice.cpp index 8028d4d..aeacd6e 100644 --- a/src/add-ons/kernel/drivers/input/usb_hid/HIDDevice.cpp +++ b/src/add-ons/kernel/drivers/input/usb_hid/HIDDevice.cpp @@ -186,7 +186,11 @@ HIDDevice::HIDDevice(usb_device device, const usb_configuration_info *config, return; } - fTransferBuffer = (uint8 *)malloc(fTransferBufferSize); + // We pad the allocation size so that we can always read 32 bits at a time + // (as done in HIDReportItem) without the need for an additional boundary + // check. We don't increase the transfer buffer size though as to not expose + // this implementation detail onto the device when scheduling transfers. + fTransferBuffer = (uint8 *)malloc(fTransferBufferSize + 3); if (fTransferBuffer == NULL) { TRACE_ALWAYS("failed to allocate transfer buffer\n"); fStatus = B_NO_MEMORY;