Merge pull request #53 from github/null-map

Fix null pointer dereference in driver userclient

Author: mastahyeti

SoftU2F.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>IDEDidComputeMac32BitWarning</key>
+	<true/>
+</dict>
+</plist>

SoftU2FDriver/SoftU2FUserClient.cpp

@@ -158,21 +158,22 @@ void SoftU2FUserClient::frameReceivedGated(IOMemoryDescriptor *report) {
 
   IOMemoryMap *reportMap = nullptr;
 
-  if (isInactive())
+  if (isInactive() || !_notifyRef)
     return;
 
-  if (report->prepare() != kIOReturnSuccess)
+  if (report->getLength() != sizeof(U2FHID_FRAME) || report->prepare() != kIOReturnSuccess)
     return;
 
+  // Map report into kernel space.
   reportMap = report->map();
 
-  // Notify userland that we got a report.
-  if (_notifyRef && reportMap->getLength() == sizeof(U2FHID_FRAME)) {
+  if (reportMap != nullptr) {
+    // Notify userland that we got a report.
     io_user_reference_t *args = (io_user_reference_t *)reportMap->getAddress();
     sendAsyncResult64(*_notifyRef, kIOReturnSuccess, args, sizeof(U2FHID_FRAME) / sizeof(io_user_reference_t));
+    reportMap->release();
   }
 
-  reportMap->release();
   report->complete();
 }
 

script/run

@@ -20,10 +20,10 @@ if kextstat -b $BUNDLE_ID | grep $BUNDLE_ID &> /dev/null; then
 fi
 
 # Ensure kext is owned by root.
-sudo chown -R root:wheel $KEXT_PATH
+sudo chown -R root:wheel "${KEXT_PATH}"
 
 echo "Loading softu2f.kext"
-if ! sudo kextutil $KEXT_PATH; then
+if ! sudo kextutil "${KEXT_PATH}"; then
   echo "Error loading softu2f.kext"
   exit 1
 fi