From: "David S. Ahern" <daahern@cisco.com>
To: qemu-devel@nongnu.org
Cc: kvm-devel <kvm@vger.kernel.org>
Subject: [Qemu-devel] Re: [PATCH] segfault due to buffer overrun in usb-serial
Date: Tue, 09 Feb 2010 07:09:38 -0700 [thread overview]
Message-ID: <4B716CA2.5000709@cisco.com> (raw)
In-Reply-To: <4B699DB6.4090604@cisco.com>
I have not seen response to this. If there are no objections please apply.
Thanks,
David Ahern
On 02/03/2010 09:00 AM, David S. Ahern wrote:
> This fixes a segfault due to buffer overrun in the usb-serial device.
> The memcpy was incrementing the start location by recv_used yet, the
> computation of first_size (how much to write at the end of the buffer
> before wrapping to the front) was not accounting for it. This causes the
> next element after the receive buffer (recv_ptr) to get overwritten with
> random data.
>
> Signed-off-by: David Ahern <daahern@cisco.com>
>
> diff --git a/hw/usb-serial.c b/hw/usb-serial.c
> index 37293ea..c3f3401 100644
> --- a/hw/usb-serial.c
> +++ b/hw/usb-serial.c
> @@ -497,12 +497,28 @@ static int usb_serial_can_read(void *opaque)
> static void usb_serial_read(void *opaque, const uint8_t *buf, int size)
> {
> USBSerialState *s = opaque;
> - int first_size = RECV_BUF - s->recv_ptr;
> - if (first_size > size)
> - first_size = size;
> - memcpy(s->recv_buf + s->recv_ptr + s->recv_used, buf, first_size);
> - if (size > first_size)
> - memcpy(s->recv_buf, buf + first_size, size - first_size);
> + int first_size, start;
> +
> + /* room in the buffer? */
> + if (size > (RECV_BUF - s->recv_used))
> + size = RECV_BUF - s->recv_used;
> +
> + start = s->recv_ptr + s->recv_used;
> + if (start < RECV_BUF) {
> + /* copy data to end of buffer */
> + first_size = RECV_BUF - start;
> + if (first_size > size)
> + first_size = size;
> +
> + memcpy(s->recv_buf + start, buf, first_size);
> +
> + /* wrap around to front if needed */
> + if (size > first_size)
> + memcpy(s->recv_buf, buf + first_size, size - first_size);
> + } else {
> + start -= RECV_BUF;
> + memcpy(s->recv_buf + start, buf, size);
> + }
> s->recv_used += size;
> }
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2010-02-09 14:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-03 16:00 [Qemu-devel] [PATCH] segfault due to buffer overrun in usb-serial David S. Ahern
2010-02-09 14:09 ` David S. Ahern [this message]
2010-02-10 19:28 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B716CA2.5000709@cisco.com \
--to=daahern@cisco.com \
--cc=kvm@vger.kernel.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).