Skip to content

Commit

Permalink
Fix UAF in r->data ptr after realloc
Browse files Browse the repository at this point in the history
  • Loading branch information
@petabyt
petabyt committed Feb 2, 2024
1 parent 3586b32 commit 7cad9de
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
2 changes: 1 addition & 1 deletion src/camlib.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ struct PtpRuntime {
int session;

/// @brief Global buffer for data reading and writing
/// @note Can grow in size as needed.
/// @note This is volatile - it will grow in size (pointer will change) when needed.
uint8_t *data;
int data_length;

Expand Down
5 changes: 5 additions & 0 deletions src/transport.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,8 @@ int ptpip_read_packet(struct PtpRuntime *r, int of) {
if (rc) return rc;
}

h = (struct PtpIpHeader *)(r->data + of);

while (1) {
rc = ptpip_cmd_read(r, r->data + of + read, h->length - read);

Expand Down Expand Up @@ -246,6 +248,9 @@ int ptpipusb_read_packet(struct PtpRuntime *r, int of) {
if (rc) return rc;
}

// Update struct after resize
h = (struct PtpBulkContainer *)(r->data + of);

while (1) {
rc = ptpip_cmd_read(r, r->data + of + read, h->length - read);

Expand Down

0 comments on commit 7cad9de

Please sign in to comment.