From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=49266 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1PFkfR-0002Nz-7N
	for qemu-devel@nongnu.org; Tue, 09 Nov 2010 04:39:06 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <gleb@redhat.com>) id 1PFkfQ-000395-1H
	for qemu-devel@nongnu.org; Tue, 09 Nov 2010 04:39:05 -0500
Received: from mx1.redhat.com ([209.132.183.28]:55856)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <gleb@redhat.com>) id 1PFkfP-00038r-QT
	for qemu-devel@nongnu.org; Tue, 09 Nov 2010 04:39:03 -0500
Received: from int-mx09.intmail.prod.int.phx2.redhat.com
	(int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id oA99d3w1002213
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <qemu-devel@nongnu.org>; Tue, 9 Nov 2010 04:39:03 -0500
Date: Tue, 9 Nov 2010 11:39:01 +0200
From: Gleb Natapov <gleb@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] Out off array access in usb-net
Message-ID: <20101109093901.GM9036@redhat.com>
References: <20101109073653.GF9036@redhat.com>
	<m3eiaun8s1.fsf@blackfin.pond.sub.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <m3eiaun8s1.fsf@blackfin.pond.sub.org>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Markus Armbruster <armbru@redhat.com>
Cc: qemu-devel@nongnu.org

On Tue, Nov 09, 2010 at 10:30:54AM +0100, Markus Armbruster wrote:
> Gleb Natapov <gleb@redhat.com> writes:
> 
> > Properly check array bounds before accessing array element.
> 
> Impact?
> 
Gapping security hole for those unfortunate enough to use usb-net?

> Apply to stable as well?
> 
Definitely. Actually for me Windows7 crashed when usb-net is present.

> > Signed-off-by: Gleb Natapov <gleb@redhat.com>
> > diff --git a/hw/usb-net.c b/hw/usb-net.c
> > index 70f9263..84e2d79 100644
> > --- a/hw/usb-net.c
> > +++ b/hw/usb-net.c
> > @@ -1142,7 +1142,7 @@ static int usb_net_handle_control(USBDevice *dev, int request, int value,
> >                  break;
> >  
> >              default:
> > -                if (usb_net_stringtable[value & 0xff]) {
> > +                if (ARRAY_SIZE(usb_net_stringtable) > (value & 0xff)) {
> >                      ret = set_usb_string(data,
> >                                      usb_net_stringtable[value & 0xff]);
> >                      break;
> 
> Makes sense.
> 
> Nitpick: LIMIT > INDEX looks unusual to me; INDEX < LIMIT is more
> common.

--
			Gleb.