From 5d7d3d14b660ef453e657dc661a380649e6f0f7d Mon Sep 17 00:00:00 2001 From: Dingyan Li <18500469033@163.com> Date: Sat, 11 Mar 2023 21:48:59 +0800 Subject: [PATCH] Fix an incorrect length value in hid descriptor. While dumping descriptors of a USB hid device, I saw a weird line: 'Report Descriptor: (length is -1)' This is because variable 'n' is used to hold a potential negative integer value even though it's an unsigned int type in function dump_hid_device. When usb_control_msg() fails, overflow happens. It will always pass the 'if' statement below and call dump_report_desc(), where this weird line finally shows up. To fix it, an int type should be used to avoid overflow. Signed-off-by: Dingyan Li <18500469033@163.com> --- lsusb.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lsusb.c b/lsusb.c index 90825c5..46c9b49 100644 --- a/lsusb.c +++ b/lsusb.c @@ -2438,8 +2438,7 @@ static void dump_hid_device(libusb_device_handle *dev, const struct libusb_interface_descriptor *interface, const unsigned char *buf) { - unsigned int i, len; - unsigned int n; + int i, len; unsigned char dbuf[8192]; if (buf[1] != LIBUSB_DT_HID) @@ -2474,13 +2473,13 @@ static void dump_hid_device(libusb_device_handle *dev, if (buf[6+3*i] != LIBUSB_DT_REPORT) continue; len = buf[7+3*i] | (buf[8+3*i] << 8); - if (len > (unsigned int)sizeof(dbuf)) { + if (len > (int)sizeof(dbuf)) { printf("report descriptor too long\n"); continue; } if (libusb_claim_interface(dev, interface->bInterfaceNumber) == 0) { int retries = 4; - n = 0; + int n = 0; while (n < len && retries--) n = usb_control_msg(dev, LIBUSB_ENDPOINT_IN | LIBUSB_REQUEST_TYPE_STANDARD @@ -2495,6 +2494,9 @@ static void dump_hid_device(libusb_device_handle *dev, if (n < len) printf(" Warning: incomplete report descriptor\n"); dump_report_desc(dbuf, n); + } else { + printf(" Warning: can't get report descriptor, %s\n", + libusb_error_name(n)); } libusb_release_interface(dev, interface->bInterfaceNumber); } else {