From: Gerd Hoffmann Date: Mon, 3 May 2021 13:29:12 +0000 (+0200) Subject: usb/redir: avoid dynamic stack allocation (CVE-2021-3527) X-Git-Tag: upstream/4.2.1~36 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=8fbf703d9172b2007ce49d2bdf12440d85a0335b;p=tools%2Fqemu-arm-static.git usb/redir: avoid dynamic stack allocation (CVE-2021-3527) Git-commit: 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 References: bsc#1186012, CVE-2021-3527 Use autofree heap allocation instead. Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Gerd Hoffmann Tested-by: Philippe Mathieu-Daudé Message-Id: <20210503132915.2335822-3-kraxel@redhat.com> Signed-off-by: Jose R Ziviani --- diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index e0f5ca6f8..dd779c45d 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -607,7 +607,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, .endpoint = ep, .length = p->iov.size }; - uint8_t buf[p->iov.size]; + g_autofree uint8_t *buf = g_malloc(p->iov.size); /* No id, we look at the ep when receiving a status back */ usb_packet_copy(p, buf, p->iov.size); usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, @@ -805,7 +805,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, usbredirparser_send_bulk_packet(dev->parser, p->id, &bulk_packet, NULL, 0); } else { - uint8_t buf[size]; + g_autofree uint8_t *buf = g_malloc(size); usb_packet_copy(p, buf, size); usbredir_log_data(dev, "bulk data out:", buf, size); usbredirparser_send_bulk_packet(dev->parser, p->id, @@ -910,7 +910,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, USBPacket *p, uint8_t ep) { struct usb_redir_interrupt_packet_header interrupt_packet; - uint8_t buf[p->iov.size]; + g_autofree uint8_t *buf = g_malloc(p->iov.size); DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, p->iov.size, p->id);