From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56375)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1Wk9LH-0003sk-7x
	for qemu-devel@nongnu.org; Tue, 13 May 2014 05:49:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1Wk9L6-0003Vg-UZ
	for qemu-devel@nongnu.org; Tue, 13 May 2014 05:49:47 -0400
Received: from mx1.redhat.com ([209.132.183.28]:38506)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1Wk9L6-0003VV-Ms
	for qemu-devel@nongnu.org; Tue, 13 May 2014 05:49:36 -0400
Received: from int-mx14.intmail.prod.int.phx2.redhat.com
	(int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s4D9nZWi022856
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK)
	for <qemu-devel@nongnu.org>; Tue, 13 May 2014 05:49:35 -0400
Message-ID: <1399974572.7118.52.camel@nilsson.home.kraxel.org>
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 13 May 2014 11:49:32 +0200
In-Reply-To: <20140513090507.GA29760@redhat.com>
References: <1399896829-16617-1-git-send-email-mst@redhat.com>
	<1399967409.7118.38.camel@nilsson.home.kraxel.org>
	<20140513083214.GD29442@redhat.com>
	<1399970685.7118.45.camel@nilsson.home.kraxel.org>
	<20140513090507.GA29760@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] usb: fix up post load checks
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: qemu-devel@nongnu.org, dgilbert@redhat.com

  Hi,


> And SETUP_STATE_PARAM?

Shortcut for small control transfers on xhci.  Doesn't go through the
idle -> setup -> data -> ack state engine.

security-wise: you can't go from 'param' to 'data' without 'setup'
inbetween.  beside that index should still be zero at the point where
len is modified (simliar to the other place in setup state).

side note: changing len should not happen in normal operation, only with
a malicious / buggy guest.  It happens in case the guest claims the data
transfer is larger than the buffer supplied by the guest.

cheers,
  Gerd