On Wed, May 05, 2021 at 03:07:14PM +0200, Gerd Hoffmann wrote:
[...]
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 17f06f34179a..6a75b0dc4ab2 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev,
USBPacket *p,
.endpoint = ep,
.length = p->iov.size
};
- uint8_t buf[p->iov.size];
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
/* No id, we look at the ep when receiving a status back */
usb_packet_copy(p, buf, p->iov.size);
usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev,
USBPacket *p,
usbredirparser_send_bulk_packet(dev->parser, p->id,
&bulk_packet, NULL, 0);
} else {
- uint8_t buf[size];
+ g_autofree uint8_t *buf = g_malloc(size);
usb_packet_copy(p, buf, size);
Won't this allows us to malloc then write an arbitrary amount of heap
memory, allowing a guest driver to abort the qemu ?
Remy
