From 7cad9de598543b8def1522d1e487db9fdac47548 Mon Sep 17 00:00:00 2001
From: Daniel <brikbusters@gmail.com>
Date: Fri, 2 Feb 2024 16:36:21 -0500
Subject: [PATCH] Fix UAF in r->data ptr after realloc

---
 src/camlib.h    | 2 +-
 src/transport.c | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/camlib.h b/src/camlib.h
index f86b37a..8973793 100644
--- a/src/camlib.h
+++ b/src/camlib.h
@@ -111,7 +111,7 @@ struct PtpRuntime {
 	int session;
 
 	/// @brief Global buffer for data reading and writing
-	/// @note Can grow in size as needed.
+	/// @note This is volatile - it will grow in size (pointer will change) when needed.
     uint8_t *data;
     int data_length;
 
diff --git a/src/transport.c b/src/transport.c
index 14a9761..2673079 100644
--- a/src/transport.c
+++ b/src/transport.c
@@ -81,6 +81,8 @@ int ptpip_read_packet(struct PtpRuntime *r, int of) {
 		if (rc) return rc;
 	}
 
+	h = (struct PtpIpHeader *)(r->data + of);
+
 	while (1) {
 		rc = ptpip_cmd_read(r, r->data + of + read, h->length - read);
 
@@ -246,6 +248,9 @@ int ptpipusb_read_packet(struct PtpRuntime *r, int of) {
 		if (rc) return rc;
 	}
 
+	// Update struct after resize
+	h = (struct PtpBulkContainer *)(r->data + of);
+
 	while (1) {
 		rc = ptpip_cmd_read(r, r->data + of + read, h->length - read);