[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-arm] [PULL 8/8] usb-mtp: Return error on suspicious TYPE_DATA pack
From: |
Gerd Hoffmann |
Subject: |
[Qemu-arm] [PULL 8/8] usb-mtp: Return error on suspicious TYPE_DATA packet from initiator |
Date: |
Tue, 12 Jun 2018 12:44:30 +0200 |
From: Bandan Das <address@hidden>
CID 1390604
If the initiator sends a packet with TYPE_DATA set without
initiating a CMD_GET_OBJECT_INFO first, then usb_mtp_get_data
can trip on a null s->data_out.
Signed-off-by: Bandan Das <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/dev-mtp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index b0ab6a7912..1ded7ac9a3 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1700,6 +1700,11 @@ static void usb_mtp_get_data(MTPState *s, mtp_container
*container,
uint64_t dlen;
uint32_t data_len = p->iov.size;
+ if (!d) {
+ usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, 0,
+ 0, 0, 0, 0);
+ return;
+ }
if (d->first) {
/* Total length of incoming data */
d->length = cpu_to_le32(container->length) - sizeof(mtp_container);
--
2.9.3
- [Qemu-arm] [PULL 0/8] Usb 20180612 patches, Gerd Hoffmann, 2018/06/12
- [Qemu-arm] [PULL 7/8] usb-hcd-xhci-test: add a test for ccid hotplug, Gerd Hoffmann, 2018/06/12
- [Qemu-arm] [PULL 8/8] usb-mtp: Return error on suspicious TYPE_DATA packet from initiator,
Gerd Hoffmann <=
- [Qemu-arm] [PULL 6/8] usb-ccid: fix bus leak, Gerd Hoffmann, 2018/06/12
- [Qemu-arm] [PULL 1/8] usb: update docs, Gerd Hoffmann, 2018/06/12
- [Qemu-arm] [PULL 2/8] usb: correctly handle Zero Length Packets, Gerd Hoffmann, 2018/06/12
- [Qemu-arm] [PULL 3/8] usb/dev-mtp: Fix use of uninitialized values, Gerd Hoffmann, 2018/06/12
- [Qemu-arm] [PULL 4/8] bus: do not unref the added child bus on realize, Gerd Hoffmann, 2018/06/12
- [Qemu-arm] [PULL 5/8] object: fix OBJ_PROP_LINK_UNREF_ON_RELEASE ambivalence, Gerd Hoffmann, 2018/06/12