From: malc <av1474@comtv.ru>
To: qemu-devel@nongnu.org
Cc: ian.jackson@eu.citrix.com
Subject: Re: [Qemu-devel] [PATCH 1/5] usb-linux.c: allow full-size control transfers, do not overrun buffer
Date: Thu, 5 Feb 2009 22:35:46 +0300 (MSK) [thread overview]
Message-ID: <Pine.LNX.4.64.0902052232020.2647@linmac.oyster.ru> (raw)
In-Reply-To: <6f129132214575f261cb44404f901281ad6bd699.1233854876.git.Ian.Jackson@eu.citrix.com>
On Tue, 3 Feb 2009, Ian Jackson wrote:
> The buffer in struct ctrl_struct needs to be big enough for any
> control transfer which may be initiated by the guest, since we are
> perhaps trying to pass a device through. The biggest possible size is
> 2^16-1 since the length fields are 16 bits.
>
> Also, assert that the transfer request we are about to make to our
> host kernel will not overrun the buffer.
>
> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
> ---
> usb-linux.c | 6 +++++-
> 1 files changed, 5 insertions(+), 1 deletions(-)
>
> diff --git a/usb-linux.c b/usb-linux.c
> index fb1153b..321c1db 100644
> --- a/usb-linux.c
> +++ b/usb-linux.c
> @@ -34,6 +34,8 @@
> #include "qemu-timer.h"
> #include "console.h"
>
> +#if defined(__linux__)
And endif is... (Leaving aside the fact that __linux__ guard in a file
called something-linux.c is a weird looking thing)
> +#include <assert.h>
> #include <dirent.h>
> #include <sys/ioctl.h>
> #include <signal.h>
> @@ -115,7 +117,7 @@ struct ctrl_struct {
> uint16_t offset;
> uint8_t state;
> struct usb_ctrlrequest req;
> - uint8_t buffer[1024];
> + uint8_t buffer[65536];
> };
>
> typedef struct USBHostDevice {
> @@ -603,6 +605,8 @@ static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)
> urb->type = USBDEVFS_URB_TYPE_CONTROL;
> urb->endpoint = p->devep;
>
> + assert(s->ctrl.len < sizeof(s->ctrl.buffer));
> +
If something can happen it will, if assert can turn into a nop it will do
so also, `if (cond) abort();' is more apropriate.
> urb->buffer = &s->ctrl.req;
> urb->buffer_length = 8 + s->ctrl.len;
>
>
--
mailto:av1474@comtv.ru
next prev parent reply other threads:[~2009-02-05 19:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-03 16:46 [Qemu-devel] [PATCH 1/5] usb-linux.c: allow full-size control transfers, do not overrun buffer Ian Jackson
2009-02-03 16:44 ` [Qemu-devel] [PATCH 2/5] usb-linux.c: set urb->type correctly for control and interrupt transfers Ian Jackson
2009-02-04 15:28 ` [Qemu-devel] [PATCH 3/5] usb-linux.c: somewhat improve some error and debugging messages Ian Jackson
2009-02-04 15:31 ` [Qemu-devel] [PATCH 4/5] usb-linux.c: more improved debugging messages (endpoint table) Ian Jackson
2009-02-05 17:20 ` [Qemu-devel] [PATCH 5/5] usb-linux.c: fix handling of asynchronous isochronous completion Ian Jackson
2009-02-05 19:35 ` malc [this message]
2009-02-06 10:35 ` [Qemu-devel] [PATCH 1/5] usb-linux.c: allow full-size control transfers, do not overrun buffer Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.64.0902052232020.2647@linmac.oyster.ru \
--to=av1474@comtv.ru \
--cc=ian.jackson@eu.citrix.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).