From f2d3e24052c1850eb054db3a20e56e14ffedfe77 Mon Sep 17 00:00:00 2001
From: hselasky <hselasky@FreeBSD.org>
Date: Tue, 25 Jun 2019 13:15:29 +0000
Subject: [PATCH] Fix parsing of corrupt data in usbdump(8). Check that the
 transfer type array lookup is within bounds to avoid segfault.

PR:		238801
MFC after:	3 days
Sponsored by:	Mellanox Technologies
---
 usr.sbin/usbdump/usbdump.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/usbdump/usbdump.c b/usr.sbin/usbdump/usbdump.c
index ef4476f55d8..a38d08a252a 100644
--- a/usr.sbin/usbdump/usbdump.c
+++ b/usr.sbin/usbdump/usbdump.c
@@ -149,7 +149,9 @@ static const char *errstr_table[USB_ERR_MAX] = {
 	[USB_ERR_NOT_LOCKED]		= "NOT_LOCKED",
 };
 
-static const char *xfertype_table[4] = {
+#define	USB_XFERTYPE_MAX 4
+
+static const char *xfertype_table[USB_XFERTYPE_MAX] = {
 	[UE_CONTROL]			= "CTRL",
 	[UE_ISOCHRONOUS]		= "ISOC",
 	[UE_BULK]			= "BULK",
@@ -320,6 +322,15 @@ usb_speedstr(uint8_t speed)
 		return (speed_table[speed]);
 }
 
+static const char *
+usb_xferstr(uint8_t type)
+{
+	if (type >= USB_XFERTYPE_MAX  || xfertype_table[type] == NULL)
+		return ("UNKN");
+	else
+		return (xfertype_table[type]);
+}
+
 static void
 print_flags(uint32_t flags)
 {
@@ -496,7 +507,7 @@ print_apacket(const struct header_32 *hdr, const uint8_t *ptr, int ptr_len)
 		    (int)len, buf, tv.tv_usec,
 		    (int)up->up_busunit, (int)up->up_address,
 		    (up->up_type == USBPF_XFERTAP_SUBMIT) ? "SUBM" : "DONE",
-		    xfertype_table[up->up_xfertype],
+		    usb_xferstr(up->up_xfertype),
 		    (unsigned int)up->up_endpoint,
 		    usb_speedstr(up->up_speed),
 		    (int)up->up_frames,
-- 
2.45.0