usbutils/0004-fix-incorrect-value.patch

From 5d7d3d14b660ef453e657dc661a380649e6f0f7d Mon Sep 17 00:00:00 2001
From: Dingyan Li <18500469033@163.com>
Date: Sat, 11 Mar 2023 21:48:59 +0800
Subject: [PATCH] Fix an incorrect length value in hid descriptor.

While dumping descriptors of a USB hid device, I saw a weird line:
'Report Descriptor: (length is -1)'

This is because variable 'n' is used to hold a potential negative
integer value even though it's an unsigned int type in function
dump_hid_device. When usb_control_msg() fails, overflow happens.
It will always pass the 'if' statement below and call dump_report_desc(),
where this weird line finally shows up.

To fix it, an int type should be used to avoid overflow.

Signed-off-by: Dingyan Li <18500469033@163.com>
---
 lsusb.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lsusb.c b/lsusb.c
index 90825c5..46c9b49 100644
--- a/lsusb.c
+++ b/lsusb.c
@@ -2438,8 +2438,7 @@ static void dump_hid_device(libusb_device_handle *dev,
 			    const struct libusb_interface_descriptor *interface,
 			    const unsigned char *buf)
 {
-	unsigned int i, len;
-	unsigned int n;
+	int i, len;
 	unsigned char dbuf[8192];
 
 	if (buf[1] != LIBUSB_DT_HID)
@@ -2474,13 +2473,13 @@ static void dump_hid_device(libusb_device_handle *dev,
 		if (buf[6+3*i] != LIBUSB_DT_REPORT)
 			continue;
 		len = buf[7+3*i] | (buf[8+3*i] << 8);
-		if (len > (unsigned int)sizeof(dbuf)) {
+		if (len > (int)sizeof(dbuf)) {
 			printf("report descriptor too long\n");
 			continue;
 		}
 		if (libusb_claim_interface(dev, interface->bInterfaceNumber) == 0) {
 			int retries = 4;
-			n = 0;
+			int n = 0;
 			while (n < len && retries--)
 				n = usb_control_msg(dev,
 					 LIBUSB_ENDPOINT_IN | LIBUSB_REQUEST_TYPE_STANDARD
@@ -2495,6 +2494,9 @@ static void dump_hid_device(libusb_device_handle *dev,
 				if (n < len)
 					printf("          Warning: incomplete report descriptor\n");
 				dump_report_desc(dbuf, n);
+			} else {
+				printf("          Warning: can't get report descriptor, %s\n",
+						  libusb_error_name(n));
 			}
 			libusb_release_interface(dev, interface->bInterfaceNumber);
 		} else {
fix incorrect question (cherry picked from commit 02ecba6ec7f97b15120f33b8e34e7765a12ef94f) 2024-09-18 11:45:23 +00:00			`From 5d7d3d14b660ef453e657dc661a380649e6f0f7d Mon Sep 17 00:00:00 2001`
			`From: Dingyan Li <18500469033@163.com>`
			`Date: Sat, 11 Mar 2023 21:48:59 +0800`
			`Subject: [PATCH] Fix an incorrect length value in hid descriptor.`

			`While dumping descriptors of a USB hid device, I saw a weird line:`
			`'Report Descriptor: (length is -1)'`

			`This is because variable 'n' is used to hold a potential negative`
			`integer value even though it's an unsigned int type in function`
			`dump_hid_device. When usb_control_msg() fails, overflow happens.`
			`It will always pass the 'if' statement below and call dump_report_desc(),`
			`where this weird line finally shows up.`

			`To fix it, an int type should be used to avoid overflow.`

			`Signed-off-by: Dingyan Li <18500469033@163.com>`
			`---`
			`lsusb.c \| 10 ++++++----`
			`1 file changed, 6 insertions(+), 4 deletions(-)`

			`diff --git a/lsusb.c b/lsusb.c`
			`index 90825c5..46c9b49 100644`
			`--- a/lsusb.c`
			`+++ b/lsusb.c`
			`@@ -2438,8 +2438,7 @@ static void dump_hid_device(libusb_device_handle *dev,`
			`const struct libusb_interface_descriptor *interface,`
			`const unsigned char *buf)`
			`{`
			`- unsigned int i, len;`
			`- unsigned int n;`
			`+ int i, len;`
			`unsigned char dbuf[8192];`

			`if (buf[1] != LIBUSB_DT_HID)`
			`@@ -2474,13 +2473,13 @@ static void dump_hid_device(libusb_device_handle *dev,`
			`if (buf[6+3*i] != LIBUSB_DT_REPORT)`
			`continue;`
			`len = buf[7+3i] \| (buf[8+3i] << 8);`
			`- if (len > (unsigned int)sizeof(dbuf)) {`
			`+ if (len > (int)sizeof(dbuf)) {`
			`printf("report descriptor too long\n");`
			`continue;`
			`}`
			`if (libusb_claim_interface(dev, interface->bInterfaceNumber) == 0) {`
			`int retries = 4;`
			`- n = 0;`
			`+ int n = 0;`
			`while (n < len && retries--)`
			`n = usb_control_msg(dev,`
			`LIBUSB_ENDPOINT_IN \| LIBUSB_REQUEST_TYPE_STANDARD`
			`@@ -2495,6 +2494,9 @@ static void dump_hid_device(libusb_device_handle *dev,`
			`if (n < len)`
			`printf(" Warning: incomplete report descriptor\n");`
			`dump_report_desc(dbuf, n);`
			`+ } else {`
			`+ printf(" Warning: can't get report descriptor, %s\n",`
			`+ libusb_error_name(n));`
			`}`
			`libusb_release_interface(dev, interface->bInterfaceNumber);`
			`} else {`