From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46323)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1aW3Na-0005e9-AB
	for qemu-devel@nongnu.org; Wed, 17 Feb 2016 09:46:59 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1aW3NX-0004Zr-56
	for qemu-devel@nongnu.org; Wed, 17 Feb 2016 09:46:58 -0500
Received: from mx1.redhat.com ([209.132.183.28]:55506)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1aW3NW-0004Zg-Vn
	for qemu-devel@nongnu.org; Wed, 17 Feb 2016 09:46:55 -0500
Message-ID: <1455720412.9127.36.camel@redhat.com>
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 17 Feb 2016 15:46:52 +0100
In-Reply-To: <alpine.LFD.2.20.1602171344270.22764@wniryva>
References: <1454669651-29411-1-git-send-email-ppandit@redhat.com>
	<1455633230.7504.107.camel@redhat.com>
	<alpine.LFD.2.20.1602171344270.22764@wniryva>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH] usb: check RNDIS buffer offsets & length
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: P J P <ppandit@redhat.com>
Cc: Qinghao Tang <luodalongde@gmail.com>, Qemu Developers <qemu-devel@nongnu.org>

On Mi, 2016-02-17 at 13:55 +0530, P J P wrote:
> +-- On Tue, 16 Feb 2016, Gerd Hoffmann wrote --+
> | > @@ -172,11 +172,18 @@ static void do_token_in(USBDevice *s, USBPacket=
 *p)
> | >      assert(p->ep->nr =3D=3D 0);
> | > +    if (s->setup_len > sizeof(s->data_buf)) {
> | > +        fprintf(stderr,
> | > +                "usb_generic_handle_packet: ctrl buffer too small (%=
d > %zu)\n",
> | > +                s->setup_len, sizeof(s->data_buf));
> | > +        p->status =3D USB_RET_STALL;
> | > +        return;
> | > +    }
> |=20
> | Why this is needed?  All control transfers go through do_token_setup
> | first, so with the check moved in do_token_setup we should never ever
> | trigger it here ...
>=20
>   usb_handle_packet
>    -> usb_process_one
>     -> do_token_in
>=20
>   Is it possible for a guest to call do_token_in, without calling=20
> do_token_setup first?

For anything interesting to happen in do_token_in() setup_state must be
set to either ACK or DATA, and for that to be the case do_token_setup()
must run first.  I don't think the guest can trick qemu to go straight
to do_token_in().

Also s->setup_len is set in do_token_setup() only, verifying it once
(after setting it from guest-supplied data) should be enough.

cheers,
  Gerd