usb: fix setup_len init (CVE-2020-14364) - focaccia-qemu - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Gerd Hoffmann <kraxel@redhat.com>	2020-08-25 07:36:36 +0200
committer	Gerd Hoffmann <kraxel@redhat.com>	2020-08-31 08:23:39 +0200
commit	b946434f2659a182afc17e155be6791ebfb302eb (patch)
tree	d0b25ff035e1bfa46b0349e8dfdea112c9eaa49c /hw/virtio/vhost-user.c
parent	202d69a715a4b1824dcd7ec1683d027ed2bae6d3 (diff)
download	focaccia-qemu-b946434f2659a182afc17e155be6791ebfb302eb.tar.gz focaccia-qemu-b946434f2659a182afc17e155be6791ebfb302eb.zip

usb: fix setup_len init (CVE-2020-14364)

Store calculated setup_len in a local variable, verify it, and only
write it to the struct (USBDevice->setup_len) in case it passed the
sanity checks.

This prevents other code (do_token_{in,out} functions specifically)
from working with invalid USBDevice->setup_len values and overrunning
the USBDevice->setup_buf[] buffer.

Fixes: CVE-2020-14364
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Message-id: 20200825053636.29648-1-kraxel@redhat.com

Diffstat (limited to 'hw/virtio/vhost-user.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: