From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1NeqnK-000361-M3 for qemu-devel@nongnu.org; Tue, 09 Feb 2010 09:10:26 -0500 Received: from [199.232.76.173] (port=38860 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NeqnK-00035a-84 for qemu-devel@nongnu.org; Tue, 09 Feb 2010 09:10:26 -0500 Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim 4.60) (envelope-from ) id 1NeqnH-0005hI-Bi for qemu-devel@nongnu.org; Tue, 09 Feb 2010 09:10:25 -0500 Received: from sj-iport-3.cisco.com ([171.71.176.72]:5273) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.60) (envelope-from ) id 1NeqnG-0005cm-Kc for qemu-devel@nongnu.org; Tue, 09 Feb 2010 09:10:23 -0500 Message-ID: <4B716CA2.5000709@cisco.com> Date: Tue, 09 Feb 2010 07:09:38 -0700 From: "David S. Ahern" MIME-Version: 1.0 References: <4B699DB6.4090604@cisco.com> In-Reply-To: <4B699DB6.4090604@cisco.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [Qemu-devel] Re: [PATCH] segfault due to buffer overrun in usb-serial List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: kvm-devel I have not seen response to this. If there are no objections please apply. Thanks, David Ahern On 02/03/2010 09:00 AM, David S. Ahern wrote: > This fixes a segfault due to buffer overrun in the usb-serial device. > The memcpy was incrementing the start location by recv_used yet, the > computation of first_size (how much to write at the end of the buffer > before wrapping to the front) was not accounting for it. This causes the > next element after the receive buffer (recv_ptr) to get overwritten with > random data. > > Signed-off-by: David Ahern > > diff --git a/hw/usb-serial.c b/hw/usb-serial.c > index 37293ea..c3f3401 100644 > --- a/hw/usb-serial.c > +++ b/hw/usb-serial.c > @@ -497,12 +497,28 @@ static int usb_serial_can_read(void *opaque) > static void usb_serial_read(void *opaque, const uint8_t *buf, int size) > { > USBSerialState *s = opaque; > - int first_size = RECV_BUF - s->recv_ptr; > - if (first_size > size) > - first_size = size; > - memcpy(s->recv_buf + s->recv_ptr + s->recv_used, buf, first_size); > - if (size > first_size) > - memcpy(s->recv_buf, buf + first_size, size - first_size); > + int first_size, start; > + > + /* room in the buffer? */ > + if (size > (RECV_BUF - s->recv_used)) > + size = RECV_BUF - s->recv_used; > + > + start = s->recv_ptr + s->recv_used; > + if (start < RECV_BUF) { > + /* copy data to end of buffer */ > + first_size = RECV_BUF - start; > + if (first_size > size) > + first_size = size; > + > + memcpy(s->recv_buf + start, buf, first_size); > + > + /* wrap around to front if needed */ > + if (size > first_size) > + memcpy(s->recv_buf, buf + first_size, size - first_size); > + } else { > + start -= RECV_BUF; > + memcpy(s->recv_buf + start, buf, size); > + } > s->recv_used += size; > } > > > -- > To unsubscribe from this list: send the line "unsubscribe kvm" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >