"Debugging with GDB / Appendix E GDB Remote Serial Protocol / Overview" specifies "The printable characters '#' and '$' or with a numeric value greater than 126 must not be used." gdb_read_byte() only rejects values < 32. This is wrong. Impact depends on the caller:
* gdb_handlesig() passes a char. Incorrectly accepts '#', '$' and '\127'. * gdb_chr_receive() passes an uint8_t. Additionally accepts characters with the most-significant bit set. Correct the validity check to match the specification. Signed-off-by: Markus Armbruster <arm...@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com> --- gdbstub.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/gdbstub.c b/gdbstub.c index d54abd17cc..c41eb1de07 100644 --- a/gdbstub.c +++ b/gdbstub.c @@ -2064,7 +2064,11 @@ static void gdb_read_byte(GDBState *s, int ch) } break; case RS_GETLINE_RLE: - if (ch < ' ') { + /* + * Run-length encoding is explained in "Debugging with GDB / + * Appendix E GDB Remote Serial Protocol / Overview". + */ + if (ch < ' ' || ch == '#' || ch == '$' || ch > 126) { /* invalid RLE count encoding */ trace_gdbstub_err_invalid_repeat((uint8_t)ch); s->state = RS_GETLINE; -- 2.17.2