diff options
| author | Jim Paris <jim@jtan.com> | 2009-08-24 14:56:12 -0400 |
|---|---|---|
| committer | Anthony Liguori <aliguori@us.ibm.com> | 2009-09-11 10:19:42 -0500 |
| commit | c4c0e236beabb9de5ff472f77aeb811ec5484615 (patch) | |
| tree | 6b882b0014043282ce6cc361db0f8647fa98326e /hw/virtio.c | |
| parent | aeec26d348363d6b03d3f2679d86d53017cf6dd4 (diff) | |
| download | focaccia-qemu-c4c0e236beabb9de5ff472f77aeb811ec5484615.tar.gz focaccia-qemu-c4c0e236beabb9de5ff472f77aeb811ec5484615.zip | |
usb-linux.c: fix buffer overflow
In usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and length to the kernel. However, the length was provided by the caller of dev->handle_packet, and is not checked, so the kernel might provide too much data and overflow our buffer. For example, hw/usb-uhci.c could set the length to 2047. hw/usb-ohci.c looks like it might go up to 4096 or 8192. This causes a qemu crash, as reported here: http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html This patch increases the usb-linux.c buffer size to 2048 to fix the specific device reported, and adds a check to avoid the overflow in any case. Signed-off-by: Jim Paris <jim@jtan.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'hw/virtio.c')
0 files changed, 0 insertions, 0 deletions