From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Kfp9q-0005PM-JE
	for qemu-devel@nongnu.org; Wed, 17 Sep 2008 01:00:54 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1Kfp9p-0005Oq-7S
	for qemu-devel@nongnu.org; Wed, 17 Sep 2008 01:00:53 -0400
Received: from [199.232.76.173] (port=48912 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Kfp9o-0005Oi-Ji
	for qemu-devel@nongnu.org; Wed, 17 Sep 2008 01:00:52 -0400
Received: from mail.windriver.com ([147.11.1.11]:53986 helo=mail.wrs.com)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <jason.wessel@windriver.com>) id 1Kfp9o-00005W-7z
	for qemu-devel@nongnu.org; Wed, 17 Sep 2008 01:00:52 -0400
Received: from ALA-MAIL03.corp.ad.wrs.com (ala-mail03 [147.11.57.144])
	by mail.wrs.com (8.13.6/8.13.6) with ESMTP id m8H50lFf013668
	for <qemu-devel@nongnu.org>; Tue, 16 Sep 2008 22:00:47 -0700 (PDT)
Message-ID: <48D08F06.2070905@windriver.com>
Date: Wed, 17 Sep 2008 00:00:54 -0500
From: Jason Wessel <jason.wessel@windriver.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------020801060207090907020100"
Subject: [Qemu-devel] [PATCH] usb-serial: Fix memory overruns with usb
	serial emulation
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

This is a multi-part message in MIME format.
--------------020801060207090907020100
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

After using the simulated usb serial device with significant amounts of
gdb debugger traffic, I found that the data packets over 255 bytes were
getting arbitrary data from prior data packets.   It turns out there are
two different memory overruns which lead to this problem.

The attached patch addresses both issues as well as removing an unused
buffer.

Please consider applying it to the development tree.

Thanks,
Jason.

--------------020801060207090907020100
Content-Type: text/x-diff;
 name="ftdi_overrun_fix.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="ftdi_overrun_fix.patch"

From: Jason Wessel <jason.wessel@windriver.com>
Subject: [PATCH] usb-serial: Fix memory overruns with usb serial emulation

* Remove the unused send_buf variable and its constant.

* Fix a memory overrun
    recv_buf[RECV_BUF + 1];
  This has to be + 1 because RECV_BUF is used for memcpy computations
  in usb_serial_read() such that an extra byte is 0..RECV_BUF bytes
  are used.

* Fix a math error
  The variables recv_ptr and recv_used are not large enough to hold
  the constant 384, which causes data corruption when the pointer is
  reset with: s->recv_ptr = (s->recv_ptr + len) % RECV_BUF;

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>

---
 hw/usb-serial.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/hw/usb-serial.c
+++ b/hw/usb-serial.c
@@ -22,7 +22,6 @@ do { printf("usb-serial: " fmt , ##args)
 #endif
 
 #define RECV_BUF 384
-#define SEND_BUF 128        // Not used for now
 
 /* Commands */
 #define FTDI_RESET		0
@@ -93,10 +92,9 @@ typedef struct {
     USBDevice dev;
     uint16_t vendorid;
     uint16_t productid;
-    uint8_t recv_buf[RECV_BUF];
-    uint8_t recv_ptr;
-    uint8_t recv_used;
-    uint8_t send_buf[SEND_BUF];
+    uint8_t recv_buf[RECV_BUF + 1];
+    uint16_t recv_ptr;
+    uint16_t recv_used;
     uint8_t event_chr;
     uint8_t error_chr;
     uint8_t event_trigger;

--------------020801060207090907020100--