[Qemu-devel] [PULL 3/6] usb: check RNDIS message length

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL 3/6] usb: check RNDIS message length

From:	Gerd Hoffmann
Subject:	[Qemu-devel] [PULL 3/6] usb: check RNDIS message length
Date:	Tue, 23 Feb 2016 11:54:55 +0100

From: Prasad J Pandit <address@hidden>

When processing remote NDIS control message packets, the USB Net
device emulator uses a fixed length(4096) data buffer. The incoming
packet length could exceed this limit. Add a check to avoid it.

Signed-off-by: Prasad J Pandit <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
---
 hw/usb/core.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/hw/usb/core.c b/hw/usb/core.c
index bea5e1e..45fa00c 100644
--- a/hw/usb/core.c
+++ b/hw/usb/core.c
@@ -129,9 +129,16 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
     }
 
     usb_packet_copy(p, s->setup_buf, p->iov.size);
+    s->setup_index = 0;
     p->actual_length = 0;
     s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
-    s->setup_index = 0;
+    if (s->setup_len > sizeof(s->data_buf)) {
+        fprintf(stderr,
+                "usb_generic_handle_packet: ctrl buffer too small (%d > 
%zu)\n",
+                s->setup_len, sizeof(s->data_buf));
+        p->status = USB_RET_STALL;
+        return;
+    }
 
     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
@@ -152,13 +159,6 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
         }
         s->setup_state = SETUP_STATE_DATA;
     } else {
-        if (s->setup_len > sizeof(s->data_buf)) {
-            fprintf(stderr,
-                "usb_generic_handle_packet: ctrl buffer too small (%d > 
%zu)\n",
-                s->setup_len, sizeof(s->data_buf));
-            p->status = USB_RET_STALL;
-            return;
-        }
         if (s->setup_len == 0)
             s->setup_state = SETUP_STATE_ACK;
         else
@@ -177,7 +177,7 @@ static void do_token_in(USBDevice *s, USBPacket *p)
     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
- 
+
     switch(s->setup_state) {
     case SETUP_STATE_ACK:
         if (!(s->setup_buf[0] & USB_DIR_IN)) {
-- 
1.8.3.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PULL 0/6] usb: misc bugfixes, Gerd Hoffmann, 2016/02/23
- [Qemu-devel] [PULL 2/6] tusb6010: move from hw/timer to hw/usb, Gerd Hoffmann, 2016/02/23
- [Qemu-devel] [PULL 1/6] usb: check USB configuration descriptor object, Gerd Hoffmann, 2016/02/23
- [Qemu-devel] [PULL 4/6] usb: check RNDIS buffer offsets & length, Gerd Hoffmann, 2016/02/23
- [Qemu-devel] [PULL 5/6] usb: add pid check at the first of uhci_handle_td(), Gerd Hoffmann, 2016/02/23
- [Qemu-devel] [PULL 6/6] ohci: allocate timer only once., Gerd Hoffmann, 2016/02/23
- [Qemu-devel] [PULL 3/6] usb: check RNDIS message length, Gerd Hoffmann <=
- Re: [Qemu-devel] [PULL 0/6] usb: misc bugfixes, Peter Maydell, 2016/02/23

Prev by Date: [Qemu-devel] [PULL 6/6] ohci: allocate timer only once.
Next by Date: Re: [Qemu-devel] [PATCH v9 0/5] add ACPI node for fw_cfg on pc and arm
Previous by thread: [Qemu-devel] [PULL 6/6] ohci: allocate timer only once.
Next by thread: Re: [Qemu-devel] [PULL 0/6] usb: misc bugfixes
Index(es):
- Date
- Thread