[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 3/3] usb: control buffer fixes
|
From: |
Hans de Goede |
|
Subject: |
[Qemu-devel] [PATCH 3/3] usb: control buffer fixes |
|
Date: |
Wed, 2 Feb 2011 19:18:41 +0100 |
Windows allows control transfers to pass up to 4k of data, so raise our
control buffer size to 4k. For control out transfers the usb core code copies
the control request data to a buffer before calling the device's handle_control
callback. Add a check for overflowing the buffer before copying the data.
Signed-off-by: Hans de Goede <address@hidden>
---
hw/usb.c | 6 ++++++
hw/usb.h | 2 +-
2 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/hw/usb.c b/hw/usb.c
index 560b3e4..4379c2a 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -98,6 +98,12 @@ static int do_token_setup(USBDevice *s, USBPacket *p)
s->setup_len = ret;
s->setup_state = SETUP_STATE_DATA;
} else {
+ if (s->setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d >
%zu)\n",
+ s->setup_len, sizeof(s->data_buf));
+ return USB_RET_STALL;
+ }
if (s->setup_len == 0)
s->setup_state = SETUP_STATE_ACK;
else
diff --git a/hw/usb.h b/hw/usb.h
index 412ce02..51ccc86 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -167,7 +167,7 @@ struct USBDevice {
int state;
uint8_t setup_buf[8];
- uint8_t data_buf[1024];
+ uint8_t data_buf[4096];
int remote_wakeup;
int setup_state;
int setup_len;
--
1.7.3.2