From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Hans de Goede <hdegoede@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>
Subject: [Qemu-devel] [PATCH 08/14] usb: control buffer fixes
Date: Wed, 4 May 2011 17:41:42 +0200 [thread overview]
Message-ID: <1304523708-9556-9-git-send-email-kraxel@redhat.com> (raw)
In-Reply-To: <1304523708-9556-1-git-send-email-kraxel@redhat.com>
From: Hans de Goede <hdegoede@redhat.com>
Windows allows control transfers to pass up to 4k of data, so raise our
control buffer size to 4k. For control out transfers the usb core code copies
the control request data to a buffer before calling the device's handle_control
callback. Add a check for overflowing the buffer before copying the data.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/usb.c | 6 ++++++
hw/usb.h | 2 +-
2 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/hw/usb.c b/hw/usb.c
index 82a6217..d8c0a75 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -93,6 +93,12 @@ static int do_token_setup(USBDevice *s, USBPacket *p)
s->setup_len = ret;
s->setup_state = SETUP_STATE_DATA;
} else {
+ if (s->setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+ s->setup_len, sizeof(s->data_buf));
+ return USB_RET_STALL;
+ }
if (s->setup_len == 0)
s->setup_state = SETUP_STATE_ACK;
else
diff --git a/hw/usb.h b/hw/usb.h
index d3d755d..22bb338 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -167,7 +167,7 @@ struct USBDevice {
int32_t state;
uint8_t setup_buf[8];
- uint8_t data_buf[1024];
+ uint8_t data_buf[4096];
int32_t remote_wakeup;
int32_t setup_state;
int32_t setup_len;
--
1.7.1
next prev parent reply other threads:[~2011-05-04 15:42 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-04 15:41 [Qemu-devel] [PULL] usb patch queue Gerd Hoffmann
2011-05-04 15:41 ` [Qemu-devel] [PATCH 01/14] usb-linux: introduce a usb_linux_alt_setting function Gerd Hoffmann
2011-05-04 15:41 ` [Qemu-devel] [PATCH 02/14] usb-linux: Get the alt. setting from sysfs rather then asking the dev Gerd Hoffmann
2011-05-04 15:41 ` [Qemu-devel] [PATCH 03/14] usb-linux: Add support for buffering iso usb packets Gerd Hoffmann
2011-05-04 15:41 ` [Qemu-devel] [PATCH 04/14] usb-linux: Refuse packets for endpoints which are not in the usb descriptor Gerd Hoffmann
2011-05-04 15:41 ` [Qemu-devel] [PATCH 05/14] usb-linux: Refuse iso packets when max packet size is 0 (alt setting 0) Gerd Hoffmann
2011-05-04 15:41 ` [Qemu-devel] [PATCH 06/14] usb-linux: We only need to keep track of 15 endpoints Gerd Hoffmann
2011-05-04 15:41 ` [Qemu-devel] [PATCH 07/14] usb-linux: Add support for buffering iso out usb packets Gerd Hoffmann
2011-05-04 15:41 ` Gerd Hoffmann [this message]
2011-05-04 15:41 ` [Qemu-devel] [PATCH 09/14] uhci: switch to QTAILQ Gerd Hoffmann
2011-05-04 15:41 ` [Qemu-devel] [PATCH 10/14] uhci: keep uhci state pointer in async packet struct Gerd Hoffmann
2011-05-04 15:41 ` [Qemu-devel] [PATCH 11/14] ohci: get ohci state via container_of() Gerd Hoffmann
2011-05-04 15:41 ` [Qemu-devel] [PATCH 12/14] musb: get musb " Gerd Hoffmann
2011-05-04 15:41 ` [Qemu-devel] [PATCH 13/14] usb: move complete callback to port ops Gerd Hoffmann
2011-05-04 15:41 ` [Qemu-devel] [PATCH 14/14] usb: mass storage fix Gerd Hoffmann
2011-05-05 18:28 ` [Qemu-devel] [PULL] usb patch queue Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1304523708-9556-9-git-send-email-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=hdegoede@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).