From patchwork Wed Feb 2 18:18:41 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans de Goede X-Patchwork-Id: 81503 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [199.232.76.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 369D3B70FF for ; Thu, 3 Feb 2011 05:10:25 +1100 (EST) Received: from localhost ([127.0.0.1]:35376 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Pkh9q-0003vd-21 for incoming@patchwork.ozlabs.org; Wed, 02 Feb 2011 13:10:22 -0500 Received: from [140.186.70.92] (port=39806 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Pkh86-0003u4-9a for qemu-devel@nongnu.org; Wed, 02 Feb 2011 13:08:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Pkh85-0006pZ-3j for qemu-devel@nongnu.org; Wed, 02 Feb 2011 13:08:34 -0500 Received: from mx1.redhat.com ([209.132.183.28]:56911) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Pkh84-0006pF-Sc for qemu-devel@nongnu.org; Wed, 02 Feb 2011 13:08:33 -0500 Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id p12I8Vit010843 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 2 Feb 2011 13:08:31 -0500 Received: from shalem.localdomain (vpn1-4-142.ams2.redhat.com [10.36.4.142]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p12I8PPJ017829; Wed, 2 Feb 2011 13:08:29 -0500 From: Hans de Goede To: qemu-devel@nongnu.org Date: Wed, 2 Feb 2011 19:18:41 +0100 Message-Id: <1296670721-2709-3-git-send-email-hdegoede@redhat.com> In-Reply-To: <1296670721-2709-1-git-send-email-hdegoede@redhat.com> References: <1296670721-2709-1-git-send-email-hdegoede@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 209.132.183.28 Cc: spice-devel@lists.freedesktop.org, Gerd Hoffmann , Hans de Goede Subject: [Qemu-devel] [PATCH 3/3] usb: control buffer fixes X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Windows allows control transfers to pass up to 4k of data, so raise our control buffer size to 4k. For control out transfers the usb core code copies the control request data to a buffer before calling the device's handle_control callback. Add a check for overflowing the buffer before copying the data. Signed-off-by: Hans de Goede --- hw/usb.c | 6 ++++++ hw/usb.h | 2 +- 2 files changed, 7 insertions(+), 1 deletions(-) diff --git a/hw/usb.c b/hw/usb.c index 560b3e4..4379c2a 100644 --- a/hw/usb.c +++ b/hw/usb.c @@ -98,6 +98,12 @@ static int do_token_setup(USBDevice *s, USBPacket *p) s->setup_len = ret; s->setup_state = SETUP_STATE_DATA; } else { + if (s->setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", + s->setup_len, sizeof(s->data_buf)); + return USB_RET_STALL; + } if (s->setup_len == 0) s->setup_state = SETUP_STATE_ACK; else diff --git a/hw/usb.h b/hw/usb.h index 412ce02..51ccc86 100644 --- a/hw/usb.h +++ b/hw/usb.h @@ -167,7 +167,7 @@ struct USBDevice { int state; uint8_t setup_buf[8]; - uint8_t data_buf[1024]; + uint8_t data_buf[4096]; int remote_wakeup; int setup_state; int setup_len;