qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] Out off array access in usb-net


From: Gleb Natapov
Subject: Re: [Qemu-devel] [PATCH] Out off array access in usb-net
Date: Tue, 9 Nov 2010 11:39:01 +0200

On Tue, Nov 09, 2010 at 10:30:54AM +0100, Markus Armbruster wrote:
> Gleb Natapov <address@hidden> writes:
> 
> > Properly check array bounds before accessing array element.
> 
> Impact?
> 
Gapping security hole for those unfortunate enough to use usb-net?

> Apply to stable as well?
> 
Definitely. Actually for me Windows7 crashed when usb-net is present.

> > Signed-off-by: Gleb Natapov <address@hidden>
> > diff --git a/hw/usb-net.c b/hw/usb-net.c
> > index 70f9263..84e2d79 100644
> > --- a/hw/usb-net.c
> > +++ b/hw/usb-net.c
> > @@ -1142,7 +1142,7 @@ static int usb_net_handle_control(USBDevice *dev, int 
> > request, int value,
> >                  break;
> >  
> >              default:
> > -                if (usb_net_stringtable[value & 0xff]) {
> > +                if (ARRAY_SIZE(usb_net_stringtable) > (value & 0xff)) {
> >                      ret = set_usb_string(data,
> >                                      usb_net_stringtable[value & 0xff]);
> >                      break;
> 
> Makes sense.
> 
> Nitpick: LIMIT > INDEX looks unusual to me; INDEX < LIMIT is more
> common.

--
                        Gleb.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]