Hi, > -----Original Message----- > From: qemu-devel-bounces+arei.gonglei=huawei....@nongnu.org > [mailto:qemu-devel-bounces+arei.gonglei=huawei....@nongnu.org] On > Behalf Of Michael S. Tsirkin > Sent: Monday, May 12, 2014 8:16 PM > To: qemu-devel@nongnu.org > Cc: Gerd Hoffmann; dgilb...@redhat.com > Subject: [Qemu-devel] [PATCH] usb: fix up post load checks > > Correct post load checks: > 1. dev->setup_len == sizeof(dev->data_buf) > seems fine, no need to fail migration > 2. When state is DATA, passing index > len > will cause memcpy with negative length, > resulting in heap overflow > > First of the issues was reported by dgilbert. > > Reported-by: "Dr. David Alan Gilbert" <dgilb...@redhat.com> > Signed-off-by: Michael S. Tsirkin <m...@redhat.com> > --- > hw/usb/bus.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/hw/usb/bus.c b/hw/usb/bus.c > index e48b19f..2721719 100644 > --- a/hw/usb/bus.c > +++ b/hw/usb/bus.c > @@ -51,8 +51,9 @@ static int usb_device_post_load(void *opaque, int > version_id) > } > if (dev->setup_index < 0 || > dev->setup_len < 0 || > - dev->setup_index >= sizeof(dev->data_buf) ||
Does this check should be deleted ? > - dev->setup_len >= sizeof(dev->data_buf)) { > + (dev->setup_state == SETUP_STATE_DATA && > + dev->setup_index > dev->setup_len) || > + dev->setup_len > sizeof(dev->data_buf)) { > return -EINVAL; > } > return 0; > -- > MST Best regards, -Gonglei