fix null pointer dereference in driver userclient

IOMemoryDescriptor.map() will return NULL if the length is 0. This can be triggered by sending a report with a single null byte.
github · Jun 19, 2018 · a4fc765 · a4fc765
1 parent e795b8a
commit a4fc765
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 9 deletions.
diff --git a/SoftU2F.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist b/SoftU2F.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>IDEDidComputeMac32BitWarning</key>
+	<true/>
+</dict>
+</plist>
diff --git a/SoftU2FDriver/SoftU2FUserClient.cpp b/SoftU2FDriver/SoftU2FUserClient.cpp
@@ -156,21 +156,21 @@ void SoftU2FUserClient::frameReceived(IOMemoryDescriptor *report) {
 void SoftU2FUserClient::frameReceivedGated(IOMemoryDescriptor *report) {
   IOLog("%s[%p]::%s(%p)\n", getName(), this, __FUNCTION__, report);
 
-  IOMemoryMap *reportMap = nullptr;
+  IOMemoryMap *reportMap;
+  io_user_reference_t *args;
 
-  if (isInactive())
+  if (isInactive() || !_notifyRef)
     return;
 
-  if (report->prepare() != kIOReturnSuccess)
+  if (report->getLength() != sizeof(U2FHID_FRAME) || report->prepare() != kIOReturnSuccess)
     return;
 
+  // Map report into kernel space.
   reportMap = report->map();
 
   // Notify userland that we got a report.
-  if (_notifyRef && reportMap->getLength() == sizeof(U2FHID_FRAME)) {
-    io_user_reference_t *args = (io_user_reference_t *)reportMap->getAddress();
-    sendAsyncResult64(*_notifyRef, kIOReturnSuccess, args, sizeof(U2FHID_FRAME) / sizeof(io_user_reference_t));
-  }
+  args = (io_user_reference_t *)reportMap->getAddress();
+  sendAsyncResult64(*_notifyRef, kIOReturnSuccess, args, sizeof(U2FHID_FRAME) / sizeof(io_user_reference_t));
 
   reportMap->release();
   report->complete();

diff --git a/script/run b/script/run
@@ -20,10 +20,10 @@ if kextstat -b $BUNDLE_ID | grep $BUNDLE_ID &> /dev/null; then
 fi
 
 # Ensure kext is owned by root.
-sudo chown -R root:wheel $KEXT_PATH
+sudo chown -R root:wheel "${KEXT_PATH}"
 
 echo "Loading softu2f.kext"
-if ! sudo kextutil $KEXT_PATH; then
+if ! sudo kextutil "${KEXT_PATH}"; then
   echo "Error loading softu2f.kext"
   exit 1
 fi