From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1LVA1P-0007IR-Co for qemu-devel@nongnu.org; Thu, 05 Feb 2009 14:36:23 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1LVA1O-0007Gp-JQ for qemu-devel@nongnu.org; Thu, 05 Feb 2009 14:36:23 -0500 Received: from [199.232.76.173] (port=44181 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1LVA1O-0007GY-A7 for qemu-devel@nongnu.org; Thu, 05 Feb 2009 14:36:22 -0500 Received: from fe02x03-cgp.akado.ru ([77.232.31.165]:58208 helo=akado.ru) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1LVA1N-0007lC-Sx for qemu-devel@nongnu.org; Thu, 05 Feb 2009 14:36:22 -0500 Date: Thu, 5 Feb 2009 22:35:46 +0300 (MSK) From: malc Subject: Re: [Qemu-devel] [PATCH 1/5] usb-linux.c: allow full-size control transfers, do not overrun buffer In-Reply-To: <6f129132214575f261cb44404f901281ad6bd699.1233854876.git.Ian.Jackson@eu.citrix.com> Message-ID: References: <6f129132214575f261cb44404f901281ad6bd699.1233854876.git.Ian.Jackson@eu.citrix.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: ian.jackson@eu.citrix.com On Tue, 3 Feb 2009, Ian Jackson wrote: > The buffer in struct ctrl_struct needs to be big enough for any > control transfer which may be initiated by the guest, since we are > perhaps trying to pass a device through. The biggest possible size is > 2^16-1 since the length fields are 16 bits. > > Also, assert that the transfer request we are about to make to our > host kernel will not overrun the buffer. > > Signed-off-by: Ian Jackson > --- > usb-linux.c | 6 +++++- > 1 files changed, 5 insertions(+), 1 deletions(-) > > diff --git a/usb-linux.c b/usb-linux.c > index fb1153b..321c1db 100644 > --- a/usb-linux.c > +++ b/usb-linux.c > @@ -34,6 +34,8 @@ > #include "qemu-timer.h" > #include "console.h" > > +#if defined(__linux__) And endif is... (Leaving aside the fact that __linux__ guard in a file called something-linux.c is a weird looking thing) > +#include > #include > #include > #include > @@ -115,7 +117,7 @@ struct ctrl_struct { > uint16_t offset; > uint8_t state; > struct usb_ctrlrequest req; > - uint8_t buffer[1024]; > + uint8_t buffer[65536]; > }; > > typedef struct USBHostDevice { > @@ -603,6 +605,8 @@ static int usb_host_handle_control(USBHostDevice *s, USBPacket *p) > urb->type = USBDEVFS_URB_TYPE_CONTROL; > urb->endpoint = p->devep; > > + assert(s->ctrl.len < sizeof(s->ctrl.buffer)); > + If something can happen it will, if assert can turn into a nop it will do so also, `if (cond) abort();' is more apropriate. > urb->buffer = &s->ctrl.req; > urb->buffer_length = 8 + s->ctrl.len; > > -- mailto:av1474@comtv.ru