From 484743f652bdb238568b1b8cf815c7f6dd9ca724 Mon Sep 17 00:00:00 2001 From: Benjamin Berg Date: Thu, 7 May 2020 20:13:00 +0200 Subject: [PATCH] upekts: Assert correct packet length in __handle_incoming_msg The surrounding code already checks this and reads the correct amount. Add an assert to ensure we really never do an out of bounds read. --- libfprint/drivers/upekts.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libfprint/drivers/upekts.c b/libfprint/drivers/upekts.c index c9a8a2e..e6fac76 100644 --- a/libfprint/drivers/upekts.c +++ b/libfprint/drivers/upekts.c @@ -235,12 +235,19 @@ __handle_incoming_msg (FpDevice *device, { GError *error = NULL; guint8 *buf = udata->buffer; - guint16 len = ((buf[5] & 0xf) << 8) | buf[6]; - guint16 computed_crc = udf_crc (buf + 4, len + 3); - guint16 msg_crc = (buf[len + 8] << 8) | buf[len + 7]; + guint16 len; + guint16 computed_crc; + guint16 msg_crc; unsigned char *retdata = NULL; unsigned char code_a, code_b; + g_assert (udata->buflen >= 6); + len = ((buf[5] & 0xf) << 8) | buf[6]; + + g_assert (udata->buflen >= len + 9); + computed_crc = udf_crc (buf + 4, len + 3); + msg_crc = (buf[len + 8] << 8) | buf[len + 7]; + if (computed_crc != msg_crc) { fp_err ("CRC failed, got %04x expected %04x", msg_crc, computed_crc);