From: Jason Wessel <jason.wessel@windriver.com>
Subject: [PATCH] usb-serial: Fix memory overruns with usb serial emulation

* Remove the unused send_buf variable and its constant.

* Fix a memory overrun
    recv_buf[RECV_BUF + 1];
  This has to be + 1 because RECV_BUF is used for memcpy computations
  in usb_serial_read() such that an extra byte is 0..RECV_BUF bytes
  are used.

* Fix a math error
  The variables recv_ptr and recv_used are not large enough to hold
  the constant 384, which causes data corruption when the pointer is
  reset with: s->recv_ptr = (s->recv_ptr + len) % RECV_BUF;

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>

---
 hw/usb-serial.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/hw/usb-serial.c
+++ b/hw/usb-serial.c
@@ -22,7 +22,6 @@ do { printf("usb-serial: " fmt , ##args)
 #endif
 
 #define RECV_BUF 384
-#define SEND_BUF 128        // Not used for now
 
 /* Commands */
 #define FTDI_RESET		0
@@ -93,10 +92,9 @@ typedef struct {
     USBDevice dev;
     uint16_t vendorid;
     uint16_t productid;
-    uint8_t recv_buf[RECV_BUF];
-    uint8_t recv_ptr;
-    uint8_t recv_used;
-    uint8_t send_buf[SEND_BUF];
+    uint8_t recv_buf[RECV_BUF + 1];
+    uint16_t recv_ptr;
+    uint16_t recv_used;
     uint8_t event_chr;
     uint8_t error_chr;
     uint8_t event_trigger;