diff options
author | Dingyan Li <18500469033@163.com> | 2023-03-11 21:48:59 +0800 |
---|---|---|
committer | Dingyan Li <18500469033@163.com> | 2023-03-11 21:48:59 +0800 |
commit | 5d7d3d14b660ef453e657dc661a380649e6f0f7d (patch) | |
tree | 4831fecefa3c651cce76172e4594f055bde28231 | |
parent | ed23f7556dd3da4a728ec6d409cf6c265fe2a124 (diff) | |
download | usbutils-5d7d3d14b660ef453e657dc661a380649e6f0f7d.tar.gz |
Fix an incorrect length value in hid descriptor.
While dumping descriptors of a USB hid device, I saw a weird line:
'Report Descriptor: (length is -1)'
This is because variable 'n' is used to hold a potential negative
integer value even though it's an unsigned int type in function
dump_hid_device. When usb_control_msg() fails, overflow happens.
It will always pass the 'if' statement below and call dump_report_desc(),
where this weird line finally shows up.
To fix it, an int type should be used to avoid overflow.
Signed-off-by: Dingyan Li <18500469033@163.com>
-rw-r--r-- | lsusb.c | 10 |
1 files changed, 6 insertions, 4 deletions
@@ -2438,8 +2438,7 @@ static void dump_hid_device(libusb_device_handle *dev, const struct libusb_interface_descriptor *interface, const unsigned char *buf) { - unsigned int i, len; - unsigned int n; + int i, len; unsigned char dbuf[8192]; if (buf[1] != LIBUSB_DT_HID) @@ -2474,13 +2473,13 @@ static void dump_hid_device(libusb_device_handle *dev, if (buf[6+3*i] != LIBUSB_DT_REPORT) continue; len = buf[7+3*i] | (buf[8+3*i] << 8); - if (len > (unsigned int)sizeof(dbuf)) { + if (len > (int)sizeof(dbuf)) { printf("report descriptor too long\n"); continue; } if (libusb_claim_interface(dev, interface->bInterfaceNumber) == 0) { int retries = 4; - n = 0; + int n = 0; while (n < len && retries--) n = usb_control_msg(dev, LIBUSB_ENDPOINT_IN | LIBUSB_REQUEST_TYPE_STANDARD @@ -2495,6 +2494,9 @@ static void dump_hid_device(libusb_device_handle *dev, if (n < len) printf(" Warning: incomplete report descriptor\n"); dump_report_desc(dbuf, n); + } else { + printf(" Warning: can't get report descriptor, %s\n", + libusb_error_name(n)); } libusb_release_interface(dev, interface->bInterfaceNumber); } else { |