Re: [Qemu-devel] [PATCH] usb: fix up post load checks

Mon, 12 May 2014 20:05:30 -0700 

Hi,

> -----Original Message-----
> From: qemu-devel-bounces+arei.gonglei=huawei....@nongnu.org
> [mailto:qemu-devel-bounces+arei.gonglei=huawei....@nongnu.org] On
> Behalf Of Michael S. Tsirkin
> Sent: Monday, May 12, 2014 8:16 PM
> To: qemu-devel@nongnu.org
> Cc: Gerd Hoffmann; dgilb...@redhat.com
> Subject: [Qemu-devel] [PATCH] usb: fix up post load checks
> 
> Correct post load checks:
> 1. dev->setup_len == sizeof(dev->data_buf)
>     seems fine, no need to fail migration
> 2. When state is DATA, passing index > len
>    will cause memcpy with negative length,
>    resulting in heap overflow
> 
> First of the issues was reported by dgilbert.
> 
> Reported-by: "Dr. David Alan Gilbert" <dgilb...@redhat.com>
> Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
> ---
>  hw/usb/bus.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/usb/bus.c b/hw/usb/bus.c
> index e48b19f..2721719 100644
> --- a/hw/usb/bus.c
> +++ b/hw/usb/bus.c
> @@ -51,8 +51,9 @@ static int usb_device_post_load(void *opaque, int
> version_id)
>      }
>      if (dev->setup_index < 0 ||
>          dev->setup_len < 0 ||
> -        dev->setup_index >= sizeof(dev->data_buf) ||

Does this check should be deleted ?

> -        dev->setup_len >= sizeof(dev->data_buf)) {
> +        (dev->setup_state == SETUP_STATE_DATA &&
> +         dev->setup_index > dev->setup_len) ||
> +        dev->setup_len > sizeof(dev->data_buf)) {
>          return -EINVAL;
>      }
>      return 0;
> --
> MST

Best regards,
-Gonglei

Reply via email to