From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1KfuQ9-0008QV-LO for qemu-devel@nongnu.org; Wed, 17 Sep 2008 06:38:05 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1KfuQ9-0008QJ-5s for qemu-devel@nongnu.org; Wed, 17 Sep 2008 06:38:05 -0400 Received: from [199.232.76.173] (port=37488 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1KfuQ8-0008QG-Vy for qemu-devel@nongnu.org; Wed, 17 Sep 2008 06:38:05 -0400 Received: from mail.codesourcery.com ([65.74.133.4]:43856) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1KfuQ8-0005z3-FS for qemu-devel@nongnu.org; Wed, 17 Sep 2008 06:38:04 -0400 From: Paul Brook Subject: Re: [Qemu-devel] [PATCH] usb-serial: Fix memory overruns with usb serial emulation Date: Wed, 17 Sep 2008 11:38:01 +0100 References: <48D08F06.2070905@windriver.com> <200809171118.42802.paul@codesourcery.com> In-Reply-To: <200809171118.42802.paul@codesourcery.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809171138.01465.paul@codesourcery.com> Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org On Wednesday 17 September 2008, Paul Brook wrote: > On Wednesday 17 September 2008, Jason Wessel wrote: > > * Fix a memory overrun > > recv_buf[RECV_BUF + 1]; > > This has to be + 1 because RECV_BUF is used for memcpy computations > > in usb_serial_read() such that an extra byte is 0..RECV_BUF bytes > > are used. > > I think this is wrong. I can't see any way this code could overflow. On further inspection I can see a bug, but the above change is not the correct fix, and it will cause lost data not overflows. The calculation of first_size is incorrect when the buffer has wrapped. Paul