From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1H77iO-0003GV-KX
	for qemu-devel@nongnu.org; Wed, 17 Jan 2007 05:08:21 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1H77iL-0003EV-DX
	for qemu-devel@nongnu.org; Wed, 17 Jan 2007 05:08:19 -0500
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1H77iK-0003EB-Ln
	for qemu-devel@nongnu.org; Wed, 17 Jan 2007 05:08:16 -0500
Received: from [82.232.2.251] (helo=mail.aurel32.net)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.52) id 1H77iK-0007ex-19
	for qemu-devel@nongnu.org; Wed, 17 Jan 2007 05:08:16 -0500
Date: Wed, 17 Jan 2007 11:08:20 +0100
From: Aurelien Jarno <aurelien@aurel32.net>
Subject: Re: [Qemu-devel] qemu/usb-uhci: Data buffer is too small
Message-ID: <20070117100820.GA6010@amd64.aurel32.net>
References: <20061130054141.GA1040@gondor.apana.org.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
In-Reply-To: <20061130054141.GA1040@gondor.apana.org.au>
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Xen Development Mailing List <xen-devel@lists.xensource.com>, Keir Fraser <keir@xensource.com>

On Thu, Nov 30, 2006 at 04:41:41PM +1100, Herbert Xu wrote:
> Hi:
> 
> [QEMU] usb-uhci: Data buffer is too small
> 
> The data buffer is only 1280 bytes long but the user-supplied length
> can be as large as 0x7ff.  This patch extends the buffer to 2048
> bytes.
> 

This patch does not apply to the current CVS, as the variable buf has
been moved into a structure. If the problem is still there, I guess the
patch below should be applied instead.

Index: hw/usb-uhci.c
===================================================================
RCS file: /sources/qemu/qemu/hw/usb-uhci.c,v
retrieving revision 1.12
diff -u -d -p -r1.12 usb-uhci.c
--- hw/usb-uhci.c	12 Aug 2006 01:04:27 -0000	1.12
+++ hw/usb-uhci.c	17 Jan 2007 10:06:16 -0000
@@ -87,7 +87,7 @@ typedef struct UHCIState {
        is to allow multiple pending requests.  */
     uint32_t async_qh;
     USBPacket usb_packet;
-    uint8_t usb_buf[1280];
+    uint8_t usb_buf[2048];
 } UHCIState;
 
 typedef struct UHCI_TD {


-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net