Message ID | 20210503132915.2335822-3-kraxel@redhat.com |
---|---|
State | New |
Headers | show |
Series | usb: fix some memory allocation issues. | expand |
On 5/3/21 3:29 PM, Gerd Hoffmann wrote: > Use autofree heap allocation instead. > > Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") > Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > hw/usb/redirect.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
On Mon, May 3, 2021 at 3:29 PM Gerd Hoffmann <kraxel@redhat.com> wrote: > > Use autofree heap allocation instead. > > Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") > Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > hw/usb/redirect.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c > index 17f06f34179a..6a75b0dc4ab2 100644 > --- a/hw/usb/redirect.c > +++ b/hw/usb/redirect.c > @@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, > .endpoint = ep, > .length = p->iov.size > }; > - uint8_t buf[p->iov.size]; > + g_autofree uint8_t *buf = g_malloc(p->iov.size); > /* No id, we look at the ep when receiving a status back */ > usb_packet_copy(p, buf, p->iov.size); > usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, > @@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, > usbredirparser_send_bulk_packet(dev->parser, p->id, > &bulk_packet, NULL, 0); > } else { > - uint8_t buf[size]; > + g_autofree uint8_t *buf = g_malloc(size); > usb_packet_copy(p, buf, size); > usbredir_log_data(dev, "bulk data out:", buf, size); > usbredirparser_send_bulk_packet(dev->parser, p->id, > @@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, > USBPacket *p, uint8_t ep) > { > struct usb_redir_interrupt_packet_header interrupt_packet; > - uint8_t buf[p->iov.size]; > + g_autofree uint8_t *buf = g_malloc(p->iov.size); > > DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, > p->iov.size, p->id); > -- > 2.30.2 > Nitpick: I would probably reference CVE-2021-3527 in patch 4/5 and 5/5 as well. Just to avoid someone from cherry-picking this patch only, not actually fixing the root cause of the CVE. Regards. -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index 17f06f34179a..6a75b0dc4ab2 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, .endpoint = ep, .length = p->iov.size }; - uint8_t buf[p->iov.size]; + g_autofree uint8_t *buf = g_malloc(p->iov.size); /* No id, we look at the ep when receiving a status back */ usb_packet_copy(p, buf, p->iov.size); usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, @@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, usbredirparser_send_bulk_packet(dev->parser, p->id, &bulk_packet, NULL, 0); } else { - uint8_t buf[size]; + g_autofree uint8_t *buf = g_malloc(size); usb_packet_copy(p, buf, size); usbredir_log_data(dev, "bulk data out:", buf, size); usbredirparser_send_bulk_packet(dev->parser, p->id, @@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, USBPacket *p, uint8_t ep) { struct usb_redir_interrupt_packet_header interrupt_packet; - uint8_t buf[p->iov.size]; + g_autofree uint8_t *buf = g_malloc(p->iov.size); DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, p->iov.size, p->id);