]> xenbits.xensource.com Git - qemu-upstream-4.4-testing.git/commit
projects / qemu-upstream-4.4-testing.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5202189) | patch
usb: sanity check setup_index+setup_len in post_load
authorMichael S. Tsirkin <mst@redhat.com>
Thu, 3 Apr 2014 16:52:25 +0000 (19:52 +0300)
committerStefano Stabellini <stefano.stabellini@eu.citrix.com>
Thu, 5 Mar 2015 13:21:37 +0000 (13:21 +0000)
commit1a228d0b734f044dc5f39d933be0ed807fbc60cf
treec1274e5b27748503fd2becab248baad74f381b0dtree
parent5202189b9e42209c23ca608025de9d5a305108a9commit | diff
usb: sanity check setup_index+setup_len in post_load

CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.

setup_len and setup_index should be checked to make sure
they are not negative.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
hw/usb/bus.c diff | blob | history
Obsolete Upstream Qemu based repository for xen-4.4-testing