From 04a9508e07582f553e9ea767f9e4a9b93839914b Mon Sep 17 00:00:00 2001
From: MarkLee131 <kaixuan.li@ntu.edu.sg>
Date: Sat, 25 Apr 2026 18:33:17 +0800
Subject: [PATCH] descriptor: Fix two memory-safety bugs in malformed config
 descriptor handling

Two issues reachable from a malformed config descriptor returned by an
attached USB device, both surfaced by the same libFuzzer + ASan run.

1) parse_interface() reads bNumEndpoints from the interface descriptor and
   increments usb_interface->num_altsetting before entering the inner loop
   that skips class/vendor specific descriptors ahead of the endpoint
   array. If that loop's bLength > size short-read branch fires, the
   function returns before the endpoint array is allocated, leaving the
   caller with bNumEndpoints > 0 and endpoint == NULL. libusb.h documents
   endpoint as an array sized by bNumEndpoints, and the testlibusb and
   xusb examples both iterate it accordingly, so a NULL deref follows.
   Reset bNumEndpoints to 0 before returning so the invariant holds.

2) The first-pass loop in parse_iad_array() compares header.bLength
   against the original size argument instead of the remaining bytes,
   so a single descriptor with bLength == size - 1 lets consumed reach
   size - 1 and the next iteration enters with only one byte of buffer
   left. The buf[1] read on the second line of the loop body lands one
   byte past the malloc allocation that backs the descriptor data. The
   sibling parsers parse_configuration() and parse_interface() in the
   same file already use the remaining-bytes form. Switch the IAD parser
   loop guard and bound check to match.

Both code paths are reachable from public APIs (libusb_get_*_config_descriptor
and libusb_get_*_interface_association_descriptors), with the malformed
input supplied by the attached device. Minimal reproducers are 20 and
9 bytes respectively.

Fixes #1813

CVE: CVE-2026-23679 CVE-2026-47104
Upstream-Status: Backport [https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231]

Backport Changes:
- The upstream version_nano.h bump is omitted because this is a security
  backport to libusb 1.0.29, not a version upgrade.

Signed-off-by: MarkLee131 <kaixuan.li@ntu.edu.sg>
(cherry picked from commit bc0886173ea15b8cc9bba2918f58a97a7f185231)
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
 libusb/descriptor.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libusb/descriptor.c b/libusb/descriptor.c
index 870883a..7d4f118 100644
--- a/libusb/descriptor.c
+++ b/libusb/descriptor.c
@@ -241,6 +241,10 @@ static int parse_interface(libusb_context *ctx,
 				usbi_warn(ctx,
 					  "short extra intf desc read %d/%u",
 					  size, header->bLength);
+				/* Keep the invariant: bNumEndpoints > 0 implies
+				 * endpoint != NULL. The endpoint array isn't
+				 * allocated yet on this early return. */
+				ifp->bNumEndpoints = 0;
 				return parsed;
 			}
 
@@ -1365,7 +1369,7 @@ static int parse_iad_array(struct libusb_context *ctx,
 
 	/* First pass: Iterate through desc list, count number of IADs */
 	iad_array->length = 0;
-	while (consumed < size) {
+	while (size - consumed >= DESC_HEADER_LENGTH) {
 		header.bLength = buf[0];
 		header.bDescriptorType = buf[1];
 		if (header.bLength < DESC_HEADER_LENGTH) {
@@ -1373,9 +1377,9 @@ static int parse_iad_array(struct libusb_context *ctx,
 				 header.bLength);
 			return LIBUSB_ERROR_IO;
 		}
-		else if (header.bLength > size) {
+		else if (header.bLength > size - consumed) {
 			usbi_warn(ctx, "short config descriptor read %d/%u",
-					  size, header.bLength);
+					  size - consumed, header.bLength);
 			return LIBUSB_ERROR_IO;
 		}
 		if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION)
-- 
2.51.0

