On 2012.07.12 16:23, Toby Gray wrote: > This was tracked down to being due to our process calling > libusb_get_device_list multiple times in the same process. Every time > this was called then the HID device path was appended to the list of > device's interfaces. > > Eventually this causes priv->hid->nb_interfaces to be > USB_MAX_INTERFACES. This causes set_hid_interface() to write off the end > of the priv->usb_interface array, corrupting the value for priv->hid.
Nice one. I've been able to reproduce the issue in xusb as well, by simply issuing a bunch of successive libusb_get_device_list(), without calling on libusb_free_device_list(), and confirmed a crash past the 32 mark. > The attached patch fixes this by not adding the same interface path > twice. It also adds a check for the interface table getting full. Ideally I don't think we want to call set_hid_interface() more than we need to, which is what happens here. So while your patch looks OK, and I think checking for an out of bound array is probably something we want to keep, there may be an alternate way we can use that avoids checking strings. I'll see if I can come up with something. Regards, /Pete ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ libusbx-devel mailing list libusbx-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/libusbx-devel
