projects / sdk / emulator / qemu.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d6ed731)
usb: fix up post load checks
authorMichael S. Tsirkin <mst@redhat.com>
Tue, 13 May 2014 09:33:16 +0000 (12:33 +0300)
committerJuan Quintela <quintela@trasno.org>
Wed, 14 May 2014 13:24:52 +0000 (15:24 +0200)
Correct post load checks:
1. dev->setup_len == sizeof(dev->data_buf)
    seems fine, no need to fail migration
2. When state is DATA, passing index > len
   will cause memcpy with negative length,
   resulting in heap overflow

First of the issues was reported by dgilbert.

Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
hw/usb/bus.c patch | blob | history

diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index 699aa1075d0b1e33aab7c8ce5f3e1672dd8cbd56..927a47bbff0e4997e9b109e30a83a513290f29c1 100644 (file)
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id)
     }
     if (dev->setup_index < 0 ||
         dev->setup_len < 0 ||
-        dev->setup_index >= sizeof(dev->data_buf) ||
-        dev->setup_len >= sizeof(dev->data_buf)) {
+        dev->setup_index > dev->setup_len ||
+        dev->setup_len > sizeof(dev->data_buf)) {
         return -EINVAL;
     }
     return 0;
Domain: SDK / Emulator;