]> xenbits.xensource.com Git - qemu-upstream-4.3-testing.git/commit
projects / qemu-upstream-4.3-testing.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 43e42a4) | patch
usb: sanity check setup_index+setup_len in post_load
authorMichael S. Tsirkin <mst@redhat.com>
Thu, 3 Apr 2014 16:52:25 +0000 (19:52 +0300)
committerStefano Stabellini <stefano.stabellini@eu.citrix.com>
Thu, 5 Mar 2015 13:21:56 +0000 (13:21 +0000)
commit8e789901f99e201cc7042f71941f192ab34e5235
tree7e0784768c450323a230d7c433c1e9269f47d3e8tree
parent43e42a48e1f0417e5bc17e84491c4b6b5be7be01commit | diff
usb: sanity check setup_index+setup_len in post_load

CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.

setup_len and setup_index should be checked to make sure
they are not negative.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
hw/usb/bus.c diff | blob | history
Obsolete Upstream Qemu based repository for xen-unstable