[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 07/17] uas: Bounds check tags when using streams
From: |
Gerd Hoffmann |
Subject: |
[Qemu-devel] [PATCH 07/17] uas: Bounds check tags when using streams |
Date: |
Fri, 29 Nov 2013 09:06:11 +0100 |
From: Hans de Goede <address@hidden>
Disallow the guest to cause us to address the data3 and status3 arrays
out of bounds.
Signed-off-by: Hans de Goede <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/dev-uas.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
index 70f41d3..5884035 100644
--- a/hw/usb/dev-uas.c
+++ b/hw/usb/dev-uas.c
@@ -692,6 +692,9 @@ static void usb_uas_command(UASDevice *uas, uas_ui *ui)
uint32_t len;
uint16_t tag = be16_to_cpu(ui->hdr.tag);
+ if (uas_using_streams(uas) && tag > UAS_MAX_STREAMS) {
+ goto invalid_tag;
+ }
req = usb_uas_find_request(uas, tag);
if (req) {
goto overlapped_tag;
@@ -724,6 +727,10 @@ static void usb_uas_command(UASDevice *uas, uas_ui *ui)
}
return;
+invalid_tag:
+ usb_uas_queue_fake_sense(uas, tag, sense_code_INVALID_TAG);
+ return;
+
overlapped_tag:
usb_uas_queue_fake_sense(uas, tag, sense_code_OVERLAPPED_COMMANDS);
return;
@@ -742,6 +749,9 @@ static void usb_uas_task(UASDevice *uas, uas_ui *ui)
UASRequest *req;
uint16_t task_tag;
+ if (uas_using_streams(uas) && tag > UAS_MAX_STREAMS) {
+ goto invalid_tag;
+ }
req = usb_uas_find_request(uas, be16_to_cpu(ui->hdr.tag));
if (req) {
goto overlapped_tag;
@@ -774,6 +784,10 @@ static void usb_uas_task(UASDevice *uas, uas_ui *ui)
}
return;
+invalid_tag:
+ usb_uas_queue_response(uas, tag, UAS_RC_INVALID_INFO_UNIT, 0);
+ return;
+
overlapped_tag:
usb_uas_queue_response(uas, req->tag, UAS_RC_OVERLAPPED_TAG, 0);
return;
--
1.8.3.1
- [Qemu-devel] [PULL 00/17] usb patch queue, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 02/17] xhci: add support for suspend/resume, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 01/17] xhci: Add a few missing checks for disconnected devices, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 13/17] ehci: implement port wakeup, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 11/17] usb: Add usb_device_alloc/free_streams, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 12/17] xhci: Call usb_device_alloc/free_streams, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 17/17] usb: move usb_{hi, lo} helpers to header file., Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 07/17] uas: Bounds check tags when using streams,
Gerd Hoffmann <=
- [Qemu-devel] [PATCH 14/17] Revert "usb-tablet: Don't claim wakeup capability for USB-2 version", Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 06/17] uas: Streams are numbered 1-y, rather then 0-x, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 15/17] trace-events: Clean up after removal of old usb-host code, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 08/17] uas: Fix response iu struct definition, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 09/17] uas: s/ui/iu/, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 16/17] usb: add vendor request defines, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 04/17] uas: Only use report iu-s for task_mgmt status reporting, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 10/17] usb: Add max_streams attribute to endpoint info, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 05/17] uas: Fix / cleanup usb_uas_task error handling, Gerd Hoffmann, 2013/11/29
- [Qemu-devel] [PATCH 03/17] scsi: Add 2 new sense codes needed by uas, Gerd Hoffmann, 2013/11/29