From: Prasad J Pandit <p...@fedoraproject.org> Hello,
When processing remote NDIS control message packets, the USB Net device emulator uses a fixed length(4096) data buffer. The incoming packet length could exceed that OR informationBufferOffset & Length combination could overflow and cross that range. These two patches add checks to avoid such overflows. Thank you. --- Prasad J Pandit (2): usb: check RNDIS message length usb: check RNDIS buffer offsets & length hw/usb/core.c | 18 +++++++++--------- hw/usb/dev-network.c | 9 ++++++--- 2 files changed, 15 insertions(+), 12 deletions(-) -- 2.5.0
