dsg/usbip-rs
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Rust usbip protocol library and tooling
205 commits 1 branch 0 tags 1.2 MiB
Find a file
Davíð Steinn Geirsson 76f5134e25 fix: close connection on devid mismatch, matching kernel behavior 
The kernel's valid_request() in stub_rx.c tears down the TCP connection
when devid doesn't match (SDEV_EVENT_ERROR_TCP). Previously we sent an
error response and continued, which is non-standard. Now we break out
of the loop to close the connection, matching the kernel.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 00:21:49 +00:00
cli fix: update nusb rev in both lib and cli, update flake cargoHash 2026-03-25 22:17:10 +00:00
docs/superpowers docs: add fuzz corpus seeding implementation plan 2026-03-26 00:04:58 +00:00
lib fix: close connection on devid mismatch, matching kernel behavior 2026-03-26 00:21:49 +00:00
.gitignore Update .gitignore, remove obsolete plan doc 2026-03-25 00:30:38 +00:00
Cargo.lock fix: update nusb rev in both lib and cli, update flake cargoHash 2026-03-25 22:17:10 +00:00
Cargo.toml feat: add usbip-rs CLI tool with vsock transport 2026-03-22 10:41:42 +00:00
CLAUDE.md Update CLAUDE.md 2026-03-25 23:09:59 +00:00
flake.lock feat: add nix fuzz devShell and fuzz-usbip app with --fork support 2026-03-25 22:08:55 +00:00
flake.nix feat(fuzz): add gen-fuzz-corpus nix app 2026-03-26 00:14:49 +00:00
LICENSE Simplify documentation (fixes #59) 2025-12-25 20:58:48 +08:00
README.md docs: add CLAUDE.md and fuzzing section to README 2026-03-25 22:24:04 +00:00

README.md

usbip-rs

Implements a userspace server-side server for the usbip protocol, and a tool for the client-side to set up the socket and hand it off to the kernel. In usbip terminology, the "server"/"host" is the side that has the physical device being shared, and the "client" is the side the device is being shared to.

This project is based on https://github.com/jiegec/usbip, with significant changes and additions.

Why?

Implementing the server side in userspace instead of the kernel's usbip_host driver reduces the attack surface considerably. The kernel is not exposed directly to potentially untrusted network input. The userspace server talks to the USB device via /dev/bus/usb/..., and can validate the client's traffic before passing it on to the real USB device. It also makes it possible to implement strong sandboxing via seccomp and namespaces for the server side. The client side is of course still all in the kernel, since making the USB devices visible to the client kernel's drivers is the whole point. But for my use case, the server side is trusted and client side is untrusted, so securing the host side is critical.

There are a few other userspace usbip server implementations around, but as far as I could tell, none of them support isochronous mode. Isochronous is needed for e.g. USB audio devices and webcams. This project does, though my testing so far is limited to playback on USB audio devices which work well.

This implementation also allows for reversing the connection flow. In standard usbip, the server side listens for connections, and the client side connects to it to access the device. usbip-rs supports having the client listen and the server initiating the connection, which maps much better to my needs.

usbip-rs also supports using vsock instead of TCP as the transport, making the "ip" in "usbip" not really true. This is useful when sharing a device to a virtual machine on the same hardware.

Building

With Nix

nix build

With Cargo

Requires libusb and libudev (Linux) system dependencies.

cargo build --release

The CLI binary is at target/release/usbip-rs.

Usage

The CLI has four top-level commands: client, host, test_hid, and test_uac. Transport addresses use the format vsock:<port>, vsock:<cid>:<port>, tcp:<port>, tcp:<host>:<port>, or fc-vsock:<path>:<port>.

Pass through a real USB device

On the client machine (needs vhci_hcd kernel module):

usbip-rs client listen tcp:3240

On the host machine (where the USB device is plugged in):

usbip-rs host connect tcp:<client-ip>:3240 1-2

The device argument is a bus ID (e.g. 1-2) or device path (e.g. /dev/bus/usb/001/002).

Test with a simulated HID keyboard

# Client side
usbip-rs client listen vsock:5000

# Host side (simulated keyboard, no real device needed)
usbip-rs test_hid connect vsock:5000

Test with a simulated UAC1 loopback audio device (not working)

# Client side
usbip-rs client listen tcp:3240

# Host side (simulated USB audio device, no real device needed)
usbip-rs test_uac connect tcp:3240

The UAC1 loopback device advertises 48kHz 16-bit stereo playback and capture. Audio sent to the playback endpoint is looped back to the capture endpoint.

Fuzzing

Fuzz targets exercise the host-side codepaths that process untrusted client data. Requires nightly Rust (provided by the nix app).

# List available fuzz targets
nix run .#fuzz-usbip

# Run a single fuzz target
nix run .#fuzz-usbip -- fuzz_urb_hid

# Run with 8 parallel processes, auto-restart on crash (for overnight runs)
nix run .#fuzz-usbip -- fuzz_urb_hid --fork=8

# Re-check saved crash artifacts and delete the ones that no longer reproduce
nix run .#fuzz-clean-usbip -- fuzz_urb_hid

Targets:

  • fuzz_parse_command — protocol deserialization
  • fuzz_handle_client — full connection lifecycle (negotiation + URB loop)
  • fuzz_urb_hid — URB loop with HID keyboard device
  • fuzz_urb_uac — URB loop with UAC1 audio device (isochronous)
  • fuzz_urb_cdc — URB loop with CDC ACM serial device (bulk)

Crash artifacts are saved to lib/fuzz/artifacts/<target>/.

Project structure

├── cli/          CLI binary (usbip-rs)
├── lib/          Library crate (usbip-rs)
│   ├── src/
│   ├── fuzz/     Fuzz targets (cargo-fuzz)
│   └── examples/
└── flake.nix     Nix build

License

MIT — see LICENSE.