From: Jason Wessel <jason.wessel@windriver.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH] usb-serial: Fix memory overruns with usb serial emulation
Date: Wed, 17 Sep 2008 00:00:54 -0500 [thread overview]
Message-ID: <48D08F06.2070905@windriver.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 425 bytes --]
After using the simulated usb serial device with significant amounts of
gdb debugger traffic, I found that the data packets over 255 bytes were
getting arbitrary data from prior data packets. It turns out there are
two different memory overruns which lead to this problem.
The attached patch addresses both issues as well as removing an unused
buffer.
Please consider applying it to the development tree.
Thanks,
Jason.
[-- Attachment #2: ftdi_overrun_fix.patch --]
[-- Type: text/x-diff, Size: 1350 bytes --]
From: Jason Wessel <jason.wessel@windriver.com>
Subject: [PATCH] usb-serial: Fix memory overruns with usb serial emulation
* Remove the unused send_buf variable and its constant.
* Fix a memory overrun
recv_buf[RECV_BUF + 1];
This has to be + 1 because RECV_BUF is used for memcpy computations
in usb_serial_read() such that an extra byte is 0..RECV_BUF bytes
are used.
* Fix a math error
The variables recv_ptr and recv_used are not large enough to hold
the constant 384, which causes data corruption when the pointer is
reset with: s->recv_ptr = (s->recv_ptr + len) % RECV_BUF;
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
---
hw/usb-serial.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/hw/usb-serial.c
+++ b/hw/usb-serial.c
@@ -22,7 +22,6 @@ do { printf("usb-serial: " fmt , ##args)
#endif
#define RECV_BUF 384
-#define SEND_BUF 128 // Not used for now
/* Commands */
#define FTDI_RESET 0
@@ -93,10 +92,9 @@ typedef struct {
USBDevice dev;
uint16_t vendorid;
uint16_t productid;
- uint8_t recv_buf[RECV_BUF];
- uint8_t recv_ptr;
- uint8_t recv_used;
- uint8_t send_buf[SEND_BUF];
+ uint8_t recv_buf[RECV_BUF + 1];
+ uint16_t recv_ptr;
+ uint16_t recv_used;
uint8_t event_chr;
uint8_t error_chr;
uint8_t event_trigger;
next reply other threads:[~2008-09-17 5:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-17 5:00 Jason Wessel [this message]
2008-09-17 10:18 ` [Qemu-devel] [PATCH] usb-serial: Fix memory overruns with usb serial emulation Paul Brook
2008-09-17 10:38 ` Paul Brook
2008-09-17 11:54 ` Jason Wessel
2008-09-17 20:01 ` Samuel Thibault
2008-09-17 22:04 ` Aurelien Jarno
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48D08F06.2070905@windriver.com \
--to=jason.wessel@windriver.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).