usb-ehci: sanity-check iso xfers

This patch adds a sanity check to itd processing to make sure the
endpoint addressed by the guest is actually an iso endpoint.  Also
verify that usb drivers don't return USB_RET_ASYNC which is illegal for
iso xfers.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

1 files changed, 10 insertions, 6 deletions

diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
index b9da26ada8..048eb7663e 100644
--- a/hw/usb-ehci.c
+++ b/hw/usb-ehci.c
@@ -1459,12 +1459,16 @@ static int ehci_process_itd(EHCIState *ehci,
 
             dev = ehci_find_device(ehci, devaddr);
             ep = usb_ep_get(dev, pid, endp);
-            usb_packet_setup(&ehci->ipacket, pid, ep);
-            usb_packet_map(&ehci->ipacket, &ehci->isgl);
-
-            ret = usb_handle_packet(dev, &ehci->ipacket);
-
-            usb_packet_unmap(&ehci->ipacket);
+            if (ep->type == USB_ENDPOINT_XFER_ISOC) {
+                usb_packet_setup(&ehci->ipacket, pid, ep);
+                usb_packet_map(&ehci->ipacket, &ehci->isgl);
+                ret = usb_handle_packet(dev, &ehci->ipacket);
+                assert(ret != USB_RET_ASYNC);
+                usb_packet_unmap(&ehci->ipacket);
+            } else {
+                DPRINTF("ISOCH: attempt to addess non-iso endpoint\n");
+                ret = USB_RET_NAK;
+            }
             qemu_sglist_destroy(&ehci->isgl);
 
 #if 0