From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:54897)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1UNKEO-0007M6-9C
	for qemu-devel@nongnu.org; Wed, 03 Apr 2013 05:43:50 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1UNKEK-0003P7-GN
	for qemu-devel@nongnu.org; Wed, 03 Apr 2013 05:43:48 -0400
Received: from mx1.redhat.com ([209.132.183.28]:54880)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1UNKEK-0003OZ-8i
	for qemu-devel@nongnu.org; Wed, 03 Apr 2013 05:43:44 -0400
Received: from int-mx12.intmail.prod.int.phx2.redhat.com
	(int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r339hhX7020085
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <qemu-devel@nongnu.org>; Wed, 3 Apr 2013 05:43:43 -0400
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed,  3 Apr 2013 11:43:37 +0200
Message-Id: <1364982220-4755-8-git-send-email-kraxel@redhat.com>
In-Reply-To: <1364982220-4755-1-git-send-email-kraxel@redhat.com>
References: <1364982220-4755-1-git-send-email-kraxel@redhat.com>
Subject: [Qemu-devel] [PATCH 07/10] usb-hub: limit chain length
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>

USB supports up to 5 hubs chained.
Catch attempts to chain more.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/usb.h         |    1 +
 hw/usb/bus.c     |    2 ++
 hw/usb/dev-hub.c |    6 ++++++
 3 files changed, 9 insertions(+)

diff --git a/hw/usb.h b/hw/usb.h
index 1b10684..4d9d05e 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -337,6 +337,7 @@ typedef struct USBPortOps {
 struct USBPort {
     USBDevice *dev;
     int speedmask;
+    int hubcount;
     char path[16];
     USBPortOps *ops;
     void *opaque;
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index e58cd9a..b10c290 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -341,8 +341,10 @@ void usb_port_location(USBPort *downstream, USBPort *upstream, int portnr)
     if (upstream) {
         snprintf(downstream->path, sizeof(downstream->path), "%s.%d",
                  upstream->path, portnr);
+        downstream->hubcount = upstream->hubcount + 1;
     } else {
         snprintf(downstream->path, sizeof(downstream->path), "%d", portnr);
+        downstream->hubcount = 0;
     }
 }
 
diff --git a/hw/usb/dev-hub.c b/hw/usb/dev-hub.c
index 504c98c..a5f092b 100644
--- a/hw/usb/dev-hub.c
+++ b/hw/usb/dev-hub.c
@@ -25,6 +25,7 @@
 #include "trace.h"
 #include "hw/usb.h"
 #include "hw/usb/desc.h"
+#include "qemu/error-report.h"
 
 #define NUM_PORTS 8
 
@@ -514,6 +515,11 @@ static int usb_hub_initfn(USBDevice *dev)
     USBHubPort *port;
     int i;
 
+    if (dev->port->hubcount == 5) {
+        error_report("usb hub chain too deep");
+        return -1;
+    }
+
     usb_desc_create_serial(dev);
     usb_desc_init(dev);
     s->intr = usb_ep_get(dev, USB_TOKEN_IN, 1);
-- 
1.7.9.7