[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 6/9] usb: mtp: fix possible buffer overflow
From: |
Gerd Hoffmann |
Subject: |
[Qemu-devel] [PATCH 6/9] usb: mtp: fix possible buffer overflow |
Date: |
Fri, 25 Apr 2014 12:48:11 +0200 |
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/dev-mtp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 45f9562..82d5b64 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -998,6 +998,9 @@ static void usb_mtp_handle_data(USBDevice *dev, USBPacket
*p)
cmd.argc = (le32_to_cpu(container.length) - sizeof(container))
/ sizeof(uint32_t);
cmd.trans = le32_to_cpu(container.trans);
+ if (cmd.argc > ARRAY_SIZE(cmd.argv)) {
+ cmd.argc = ARRAY_SIZE(cmd.argv);
+ }
usb_packet_copy(p, ¶ms, cmd.argc * sizeof(uint32_t));
for (i = 0; i < cmd.argc; i++) {
cmd.argv[i] = le32_to_cpu(params[i]);
--
1.8.3.1
- [Qemu-devel] [PATCH 0/9] usb: mtp: a bunch of fixes, Gerd Hoffmann, 2014/04/25
- [Qemu-devel] [PATCH 2/9] usb: mtp: fix usb_mtp_add_u64, Gerd Hoffmann, 2014/04/25
- [Qemu-devel] [PATCH 1/9] usb: mtp: replace debug printfs with trace points, Gerd Hoffmann, 2014/04/25
- [Qemu-devel] [PATCH 7/9] usb: mtp: avoid empty description string, Gerd Hoffmann, 2014/04/25
- [Qemu-devel] [PATCH 9/9] usb: mtp: reply INCOMPLETE_TRANSFER on read errors, Gerd Hoffmann, 2014/04/25
- [Qemu-devel] [PATCH 5/9] usb: mtp: fix error path memory leak, Gerd Hoffmann, 2014/04/25
- [Qemu-devel] [PATCH 8/9] usb: mtp: drop data-out hexdump, Gerd Hoffmann, 2014/04/25
- [Qemu-devel] [PATCH 6/9] usb: mtp: fix possible buffer overflow,
Gerd Hoffmann <=
- [Qemu-devel] [PATCH 3/9] usb: mtp: fix version (is decimal not bcd), Gerd Hoffmann, 2014/04/25
- [Qemu-devel] [PATCH 4/9] usb: mtp: fix serial (must be exact 32 chars), Gerd Hoffmann, 2014/04/25
- Re: [Qemu-devel] [PATCH 0/9] usb: mtp: a bunch of fixes, Peter Wu, 2014/04/25