From: Hans de Goede <hdegoede@redhat.com>
To: qemu-devel@nongnu.org
Cc: spice-devel@lists.freedesktop.org,
Gerd Hoffmann <kraxel@redhat.com>,
Hans de Goede <hdegoede@redhat.com>
Subject: [Qemu-devel] [PATCH 3/3] usb: control buffer fixes
Date: Wed, 2 Feb 2011 19:18:41 +0100 [thread overview]
Message-ID: <1296670721-2709-3-git-send-email-hdegoede@redhat.com> (raw)
In-Reply-To: <1296670721-2709-1-git-send-email-hdegoede@redhat.com>
Windows allows control transfers to pass up to 4k of data, so raise our
control buffer size to 4k. For control out transfers the usb core code copies
the control request data to a buffer before calling the device's handle_control
callback. Add a check for overflowing the buffer before copying the data.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
hw/usb.c | 6 ++++++
hw/usb.h | 2 +-
2 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/hw/usb.c b/hw/usb.c
index 560b3e4..4379c2a 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -98,6 +98,12 @@ static int do_token_setup(USBDevice *s, USBPacket *p)
s->setup_len = ret;
s->setup_state = SETUP_STATE_DATA;
} else {
+ if (s->setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+ s->setup_len, sizeof(s->data_buf));
+ return USB_RET_STALL;
+ }
if (s->setup_len == 0)
s->setup_state = SETUP_STATE_ACK;
else
diff --git a/hw/usb.h b/hw/usb.h
index 412ce02..51ccc86 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -167,7 +167,7 @@ struct USBDevice {
int state;
uint8_t setup_buf[8];
- uint8_t data_buf[1024];
+ uint8_t data_buf[4096];
int remote_wakeup;
int setup_state;
int setup_len;
--
1.7.3.2
prev parent reply other threads:[~2011-02-02 18:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-02 18:18 [Qemu-devel] [PATCH 1/3] usb: Pass the packet to the device's handle_control callback Hans de Goede
2011-02-02 18:18 ` [Qemu-devel] [PATCH 2/3] usb-linux: use usb_generic_handle_packet() Hans de Goede
2011-02-02 18:18 ` Hans de Goede [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1296670721-2709-3-git-send-email-hdegoede@redhat.com \
--to=hdegoede@redhat.com \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=spice-devel@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).