Fix transfer length validation in Usb Api.

chrome/browser/extensions/api/usb/usb_api.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/api/usb/usb_api.h"
 
 #include <string>
 #include <vector>
 
 #include "base/memory/scoped_ptr.h"
@@ skipping 44 matching lines @@
 static const char* kErrorCannotReleaseInterface = "Error releasing interface.";
 static const char* kErrorCannotSetInterfaceAlternateSetting =
     "Error setting alternate interface setting.";
 static const char* kErrorConvertDirection = "Invalid transfer direction.";
 static const char* kErrorConvertRecipient = "Invalid transfer recipient.";
 static const char* kErrorConvertRequestType = "Invalid request type.";
 static const char* kErrorMalformedParameters = "Error parsing parameters.";
 static const char* kErrorNoDevice = "No such device.";
 static const char* kErrorPermissionDenied =
     "Permission to access device was denied";
+static const char* kErrorInvalidTransferLength = "Transfer length must be a "
+    "positive number less than 104,857,600.";
 
+static const size_t kMaxTransferLength = 100 * 1024 * 1024;
 static UsbDevice* device_for_test_ = NULL;
 
 static bool ConvertDirection(const Direction& input,
                              UsbDevice::TransferDirection* output) {
   switch (input) {
     case usb::DIRECTION_IN:
       *output = UsbDevice::INBOUND;
       return true;
     case usb::DIRECTION_OUT:
       *output = UsbDevice::OUTBOUND;
@@ skipping 46 matching lines @@
       return false;
   }
   NOTREACHED();
   return false;
 }
 
 template<class T>
 static bool GetTransferSize(const T& input, size_t* output) {
   if (input.direction == usb::DIRECTION_IN) {
     const int* length = input.length.get();
-    if (length) {
+    if (length && *length >= 0 &&
+        static_cast<size_t>(*length) < kMaxTransferLength) {
       *output = *length;
       return true;
     }
   } else if (input.direction == usb::DIRECTION_OUT) {
     if (input.data.get()) {
       *output = input.data->size();
       return true;
     }
   }
   return false;
 }
 
 template<class T>
-static scoped_refptr<net::IOBuffer> CreateBufferForTransfer(const T& input) {
-  size_t size = 0;
-  if (!GetTransferSize(input, &size))
+static scoped_refptr<net::IOBuffer> CreateBufferForTransfer(
+    const T& input, UsbDevice::TransferDirection direction, size_t size) {
+
+  if (size > kMaxTransferLength)
     return NULL;
 
   // Allocate a |size|-bytes buffer, or a one-byte buffer if |size| is 0. This
   // is due to an impedance mismatch between IOBuffer and URBs. An IOBuffer
   // cannot represent a zero-length buffer, while an URB can.
   scoped_refptr<net::IOBuffer> buffer = new net::IOBuffer(std::max(
       static_cast<size_t>(1), size));
-  if (!input.data.get())
+
+  if (direction == UsbDevice::INBOUND) {
     return buffer;
-
-  memcpy(buffer->data(), input.data->data(), size);
-  return buffer;
+  } else if (direction == UsbDevice::OUTBOUND) {
+    if (input.data.get() && size <= input.data->size()) {
+      memcpy(buffer->data(), input.data->data(), size);
+      return buffer;
+    }
+  }
+  NOTREACHED();
+  return NULL;
 }
 
 static const char* ConvertTransferStatusToErrorString(
     const UsbTransferStatus status) {
   switch (status) {
     case USB_TRANSFER_COMPLETED:
       return "";
     case USB_TRANSFER_ERROR:
       return kErrorGeneric;
     case USB_TRANSFER_TIMEOUT:
@@ skipping 297 matching lines @@
   if (!device) {
     CompleteWithError(kErrorNoDevice);
     return;
   }
 
   const ControlTransferInfo& transfer = parameters_->transfer_info;
 
   UsbDevice::TransferDirection direction;
   UsbDevice::TransferRequestType request_type;
   UsbDevice::TransferRecipient recipient;
-  size_t size;
-  scoped_refptr<net::IOBuffer> buffer = CreateBufferForTransfer(transfer);
+  size_t size = 0;
 
   if (!ConvertDirectionSafely(transfer.direction, &direction) ||
       !ConvertRequestTypeSafely(transfer.request_type, &request_type) ||
       !ConvertRecipientSafely(transfer.recipient, &recipient)) {
     AsyncWorkCompleted();
     return;
   }
 
-  if (!GetTransferSize(transfer, &size) || !buffer) {
+  if (!GetTransferSize(transfer, &size)) {
+    CompleteWithError(kErrorInvalidTransferLength);
+    return;
+  }
+
+  scoped_refptr<net::IOBuffer> buffer = CreateBufferForTransfer(
+      transfer, direction, size);
+  if (!buffer) {
     CompleteWithError(kErrorMalformedParameters);
     return;
   }
 
   device->device()->ControlTransfer(direction, request_type, recipient,
       transfer.request, transfer.value, transfer.index, buffer, size, 0,
       base::Bind(&UsbControlTransferFunction::OnCompleted, this));
 }
 
 UsbBulkTransferFunction::UsbBulkTransferFunction() {}
@@ skipping 10 matching lines @@
   UsbDeviceResource* const device = GetUsbDeviceResource(
       parameters_->device.handle);
   if (!device) {
     CompleteWithError(kErrorNoDevice);
     return;
   }
 
   const GenericTransferInfo& transfer = parameters_->transfer_info;
 
   UsbDevice::TransferDirection direction;
-  size_t size;
-  scoped_refptr<net::IOBuffer> buffer = CreateBufferForTransfer(transfer);
+  size_t size = 0;
 
   if (!ConvertDirectionSafely(transfer.direction, &direction)) {
     AsyncWorkCompleted();
     return;
   }
 
-  if (!GetTransferSize(transfer, &size) || !buffer) {
+  if (!GetTransferSize(transfer, &size)) {
+    CompleteWithError(kErrorInvalidTransferLength);
+    return;
+  }
+
+  scoped_refptr<net::IOBuffer> buffer = CreateBufferForTransfer(
+      transfer, direction, size);
+  if (!buffer) {
     CompleteWithError(kErrorMalformedParameters);
     return;
   }
 
   device->device()->BulkTransfer(direction, transfer.endpoint, buffer, size, 0,
       base::Bind(&UsbBulkTransferFunction::OnCompleted, this));
 }
 
 UsbInterruptTransferFunction::UsbInterruptTransferFunction() {}
 
 UsbInterruptTransferFunction::~UsbInterruptTransferFunction() {}
 
 bool UsbInterruptTransferFunction::Prepare() {
   parameters_ = InterruptTransfer::Params::Create(*args_);
   EXTENSION_FUNCTION_VALIDATE(parameters_.get());
   return true;
 }
 
 void UsbInterruptTransferFunction::AsyncWorkStart() {
   UsbDeviceResource* const device = GetUsbDeviceResource(
       parameters_->device.handle);
   if (!device) {
     CompleteWithError(kErrorNoDevice);
     return;
   }
 
   const GenericTransferInfo& transfer = parameters_->transfer_info;
 
   UsbDevice::TransferDirection direction;
-  size_t size;
-  scoped_refptr<net::IOBuffer> buffer = CreateBufferForTransfer(transfer);
+  size_t size = 0;
 
   if (!ConvertDirectionSafely(transfer.direction, &direction)) {
     AsyncWorkCompleted();
     return;
   }
 
-  if (!GetTransferSize(transfer, &size) || !buffer) {
+  if (!GetTransferSize(transfer, &size)) {
+    CompleteWithError(kErrorInvalidTransferLength);
+    return;
+  }
+
+  scoped_refptr<net::IOBuffer> buffer = CreateBufferForTransfer(
+      transfer, direction, size);
+  if (!buffer) {
     CompleteWithError(kErrorMalformedParameters);
     return;
   }
 
   device->device()->InterruptTransfer(direction, transfer.endpoint, buffer,
       size, 0, base::Bind(&UsbInterruptTransferFunction::OnCompleted, this));
 }
 
 UsbIsochronousTransferFunction::UsbIsochronousTransferFunction() {}
 
 UsbIsochronousTransferFunction::~UsbIsochronousTransferFunction() {}
 
 bool UsbIsochronousTransferFunction::Prepare() {
   parameters_ = IsochronousTransfer::Params::Create(*args_);
   EXTENSION_FUNCTION_VALIDATE(parameters_.get());
   return true;
 }
 
 void UsbIsochronousTransferFunction::AsyncWorkStart() {
   UsbDeviceResource* const device = GetUsbDeviceResource(
       parameters_->device.handle);
   if (!device) {
     CompleteWithError(kErrorNoDevice);
     return;
   }
 
   const IsochronousTransferInfo& transfer = parameters_->transfer_info;
   const GenericTransferInfo& generic_transfer = transfer.transfer_info;
 
-  size_t size;
+  size_t size = 0;
   UsbDevice::TransferDirection direction;
-  scoped_refptr<net::IOBuffer> buffer = CreateBufferForTransfer(
-      generic_transfer);
 
   if (!ConvertDirectionSafely(generic_transfer.direction, &direction)) {
     AsyncWorkCompleted();
     return;
   }
 
-  if (!GetTransferSize(generic_transfer, &size) || !buffer) {
-    CompleteWithError(kErrorNoDevice);
+  if (!GetTransferSize(generic_transfer, &size)) {
+    CompleteWithError(kErrorInvalidTransferLength);
+    return;
+  }
+
+  scoped_refptr<net::IOBuffer> buffer = CreateBufferForTransfer(
+      generic_transfer, direction, size);
+  if (!buffer) {
+    CompleteWithError(kErrorMalformedParameters);
     return;
   }
 
   device->device()->IsochronousTransfer(direction, generic_transfer.endpoint,
       buffer, size, transfer.packets, transfer.packet_length, 0, base::Bind(
           &UsbIsochronousTransferFunction::OnCompleted, this));
 }
 
 }  // namespace extensions