]> git.ipfire.org Git - thirdparty/qemu.git/commit
projects / thirdparty / qemu.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4dcd2f1) | patch
usb: check RNDIS buffer offsets & length
authorPrasad J Pandit <pjp@fedoraproject.org>
Tue, 16 Feb 2016 18:53:41 +0000 (00:23 +0530)
committerMichael Roth <mdroth@linux.vnet.ibm.com>
Tue, 22 Mar 2016 22:40:46 +0000 (17:40 -0500)
commite3a2cdfcb5e282139217924044ec5af00c7f8eed
tree46d62a36c00a2cfeec96e7ece8da25644e05ac27tree
parent4dcd2f13b1bf7f23a587d0e832ff30d2da6291a1commit | diff
usb: check RNDIS buffer offsets & length

When processing remote NDIS control message packets,
the USB Net device emulator uses a fixed length(4096) data buffer.
The incoming informationBufferOffset & Length combination could
overflow and cross that range. Check control message buffer
offsets and length to avoid it.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit fe3c546c5ff2a6210f9a4d8561cc64051ca8603e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
hw/usb/dev-network.c diff | blob | blame | history
Mirror of https://git.qemu.org/git/qemu.git