Skip to content

Commit a6eebe0

Browse files
kevinmehallkevinmehall
committed
Fix use-after-free in descriptor extra data (1.1.0 regression)
Nan::NewBuffer takes ownership of the passed buffer, but the descriptors are freed once converted to JS. Use Nan::CopyBuffer instead, and remove the wrapper function, as it no longer wraps multiple V8 calls.
1 parent 98b9851 commit a6eebe0

File tree

1 file changed

+9
-7
lines changed

1 file changed

+9
-7
lines changed

src/device.cc

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,6 @@
1111

1212
static Nan::Persistent<v8::FunctionTemplate> device_constructor;
1313

14-
Local<Object> makeBuffer(const unsigned char* ptr, unsigned length) {
15-
return Nan::NewBuffer((char*) ptr, (uint32_t) length).ToLocalChecked();
16-
}
17-
1814
Device::Device(libusb_device* d): device(d), device_handle(0) {
1915
libusb_ref_device(device);
2016
DEBUG_LOG("Created device %p", this);
@@ -115,7 +111,9 @@ NAN_METHOD(Device_GetConfigDescriptor) {
115111
// Libusb 1.0 typo'd bMaxPower as MaxPower
116112
v8cdesc->ForceSet(V8STR("bMaxPower"), Nan::New<Uint32>((uint32_t) cdesc->MaxPower), CONST_PROP);
117113

118-
v8cdesc->ForceSet(V8SYM("extra"), makeBuffer(cdesc->extra, cdesc->extra_length), CONST_PROP);
114+
v8cdesc->ForceSet(V8SYM("extra"),
115+
Nan::CopyBuffer((const char*) cdesc->extra, cdesc->extra_length).ToLocalChecked(),
116+
CONST_PROP);
119117

120118
Local<Array> v8interfaces = Nan::New<Array>(cdesc->bNumInterfaces);
121119
v8cdesc->ForceSet(V8SYM("interfaces"), v8interfaces);
@@ -143,7 +141,9 @@ NAN_METHOD(Device_GetConfigDescriptor) {
143141
STRUCT_TO_V8(v8idesc, idesc, bInterfaceProtocol)
144142
STRUCT_TO_V8(v8idesc, idesc, iInterface)
145143

146-
v8idesc->ForceSet(V8SYM("extra"), makeBuffer(idesc.extra, idesc.extra_length), CONST_PROP);
144+
v8idesc->ForceSet(V8SYM("extra"),
145+
Nan::CopyBuffer((const char*)idesc.extra, idesc.extra_length).ToLocalChecked(),
146+
CONST_PROP);
147147

148148
Local<Array> v8endpoints = Nan::New<Array>(idesc.bNumEndpoints);
149149
v8idesc->ForceSet(V8SYM("endpoints"), v8endpoints, CONST_PROP);
@@ -162,7 +162,9 @@ NAN_METHOD(Device_GetConfigDescriptor) {
162162
STRUCT_TO_V8(v8edesc, edesc, bRefresh)
163163
STRUCT_TO_V8(v8edesc, edesc, bSynchAddress)
164164

165-
v8edesc->ForceSet(V8SYM("extra"), makeBuffer(edesc.extra, edesc.extra_length), CONST_PROP);
165+
v8edesc->ForceSet(V8SYM("extra"),
166+
Nan::CopyBuffer((const char*) edesc.extra, edesc.extra_length).ToLocalChecked(),
167+
CONST_PROP);
166168
}
167169
}
168170
}

0 commit comments

Comments
 (0)