From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Prasad J Pandit <pjp@fedoraproject.org>,
Gerd Hoffmann <kraxel@redhat.com>
Subject: [Qemu-devel] [PULL 1/6] usb: check USB configuration descriptor object
Date: Tue, 23 Feb 2016 11:54:53 +0100 [thread overview]
Message-ID: <1456224898-23270-2-git-send-email-kraxel@redhat.com> (raw)
In-Reply-To: <1456224898-23270-1-git-send-email-kraxel@redhat.com>
From: Prasad J Pandit <pjp@fedoraproject.org>
When processing remote NDIS control message packets, the USB Net
device emulator checks to see if the USB configuration descriptor
object is of RNDIS type(2). But it does not check if it is null,
which leads to a null dereference error. Add check to avoid it.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/usb/dev-network.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
index 985a629..5dc4538 100644
--- a/hw/usb/dev-network.c
+++ b/hw/usb/dev-network.c
@@ -654,7 +654,8 @@ typedef struct USBNetState {
static int is_rndis(USBNetState *s)
{
- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
+ return s->dev.config ?
+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
}
static int ndis_query(USBNetState *s, uint32_t oid,
--
1.8.3.1
next prev parent reply other threads:[~2016-02-23 10:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-23 10:54 [Qemu-devel] [PULL 0/6] usb: misc bugfixes Gerd Hoffmann
2016-02-23 10:54 ` Gerd Hoffmann [this message]
2016-02-23 10:54 ` [Qemu-devel] [PULL 2/6] tusb6010: move from hw/timer to hw/usb Gerd Hoffmann
2016-02-23 10:54 ` [Qemu-devel] [PULL 3/6] usb: check RNDIS message length Gerd Hoffmann
2016-02-23 10:54 ` [Qemu-devel] [PULL 4/6] usb: check RNDIS buffer offsets & length Gerd Hoffmann
2016-02-23 10:54 ` [Qemu-devel] [PULL 5/6] usb: add pid check at the first of uhci_handle_td() Gerd Hoffmann
2016-02-23 10:54 ` [Qemu-devel] [PULL 6/6] ohci: allocate timer only once Gerd Hoffmann
2016-02-23 11:47 ` [Qemu-devel] [PULL 0/6] usb: misc bugfixes Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1456224898-23270-2-git-send-email-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).