From ef1aa3f416508d6744b66d3dbddf03721a5a9041 Mon Sep 17 00:00:00 2001
From: hselasky <hselasky@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Wed, 3 Jul 2019 18:19:29 +0000
Subject: [PATCH] MFC r349370: Fix parsing of corrupt data in usbdump(8). Check
 that the transfer type array lookup is within bounds to avoid segfault.

PR:		238801
Sponsored by:	Mellanox Technologies


git-svn-id: svn://svn.freebsd.org/base/stable/10@349666 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 usr.sbin/usbdump/usbdump.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/usbdump/usbdump.c b/usr.sbin/usbdump/usbdump.c
index 647d69068..328c979b1 100644
--- a/usr.sbin/usbdump/usbdump.c
+++ b/usr.sbin/usbdump/usbdump.c
@@ -148,7 +148,9 @@ static const char *errstr_table[USB_ERR_MAX] = {
 	[USB_ERR_NOT_LOCKED]		= "NOT_LOCKED",
 };
 
-static const char *xfertype_table[4] = {
+#define	USB_XFERTYPE_MAX 4
+
+static const char *xfertype_table[USB_XFERTYPE_MAX] = {
 	[UE_CONTROL]			= "CTRL",
 	[UE_ISOCHRONOUS]		= "ISOC",
 	[UE_BULK]			= "BULK",
@@ -319,6 +321,15 @@ usb_speedstr(uint8_t speed)
 		return (speed_table[speed]);
 }
 
+static const char *
+usb_xferstr(uint8_t type)
+{
+	if (type >= USB_XFERTYPE_MAX  || xfertype_table[type] == NULL)
+		return ("UNKN");
+	else
+		return (xfertype_table[type]);
+}
+
 static void
 print_flags(uint32_t flags)
 {
@@ -495,7 +506,7 @@ print_apacket(const struct header_32 *hdr, const uint8_t *ptr, int ptr_len)
 		    (int)len, buf, tv.tv_usec,
 		    (int)up->up_busunit, (int)up->up_address,
 		    (up->up_type == USBPF_XFERTAP_SUBMIT) ? "SUBM" : "DONE",
-		    xfertype_table[up->up_xfertype],
+		    usb_xferstr(up->up_xfertype),
 		    (unsigned int)up->up_endpoint,
 		    usb_speedstr(up->up_speed),
 		    (int)up->up_frames,
-- 
2.42.0