Skip to content

Commit 993d72a

Browse files
TheodorNEngoysonatique
TheodorNEngoy
authored and
sonatique
committed
tests/fuzz: BOS device‑cap parsers fuzzer (USB 2.0 ext, SS dev‑cap, Container ID) + minimal corpus seed
Closes libusb#1707
1 parent 18d26e4 commit 993d72a

File tree

2 files changed

+49
-0
lines changed

2 files changed

+49
-0
lines changed

tests/fuzz/corpus/bos/min.bos

5 Bytes
Binary file not shown.

tests/fuzz/fuzz_bos_descriptor.c

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
#include <stdint.h>
2+
#include <stddef.h>
3+
#include <stdlib.h>
4+
#include <string.h>
5+
#include <libusb.h>
6+
7+
/* Fuzz the public BOS device-capability parsers.
8+
We construct a valid BOS dev-cap header (3 bytes) + variable payload.
9+
No hardware needed; ctx=NULL is fine. */
10+
11+
int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
12+
if (!data) return 0;
13+
14+
/* bLength is 3 (header) + payload; must fit in one byte. */
15+
uint8_t payload_len = (size > 252) ? 252 : (uint8_t)size; /* 255 - 3 = 252 */
16+
size_t total_len = 3u + (size_t)payload_len;
17+
18+
/* Allocate header + payload for the flexible array member. */
19+
struct libusb_bos_dev_capability_descriptor *devcap =
20+
(struct libusb_bos_dev_capability_descriptor*)
21+
malloc(sizeof(*devcap) + payload_len);
22+
if (!devcap) return 0;
23+
24+
devcap->bLength = (uint8_t)total_len;
25+
devcap->bDescriptorType = LIBUSB_DT_DEVICE_CAPABILITY; /* 0x10 */
26+
/* Copy fuzz bytes into the variable-length payload. */
27+
if (payload_len) memcpy(devcap->dev_capability_data, data, payload_len);
28+
29+
/* 1) USB 2.0 Extension dev-cap */
30+
devcap->bDevCapabilityType = LIBUSB_BT_USB_2_0_EXTENSION;
31+
struct libusb_usb_2_0_extension_descriptor *d20 = NULL;
32+
(void)libusb_get_usb_2_0_extension_descriptor(NULL, devcap, &d20);
33+
libusb_free_usb_2_0_extension_descriptor(d20);
34+
35+
/* 2) SuperSpeed USB Device Capability dev-cap */
36+
devcap->bDevCapabilityType = LIBUSB_BT_SS_USB_DEVICE_CAPABILITY;
37+
struct libusb_ss_usb_device_capability_descriptor *dss = NULL;
38+
(void)libusb_get_ss_usb_device_capability_descriptor(NULL, devcap, &dss);
39+
libusb_free_ss_usb_device_capability_descriptor(dss);
40+
41+
/* 3) Container ID dev-cap */
42+
devcap->bDevCapabilityType = LIBUSB_BT_CONTAINER_ID;
43+
struct libusb_container_id_descriptor *dcid = NULL;
44+
(void)libusb_get_container_id_descriptor(NULL, devcap, &dcid);
45+
libusb_free_container_id_descriptor(dcid);
46+
47+
free(devcap);
48+
return 0;
49+
}

0 commit comments

Comments
 (0)