git.ipfire.org Git - thirdparty/qemu.git/commit

author	Gerd Hoffmann <kraxel@redhat.com>
	Tue, 25 Aug 2020 05:36:36 +0000 (07:36 +0200)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Wed, 9 Sep 2020 23:51:39 +0000 (18:51 -0500)
commit	f243bb4b0d6dab7da3ae8490e0f46054bae93816
tree	2a95485a7a83e25d626f7a13b086336d1e66faef	tree
parent	a575af07b8009bc51a311274c15846697b7d5f7c	commit \| diff

usb: fix setup_len init (CVE-2020-14364)

Store calculated setup_len in a local variable, verify it, and only
write it to the struct (USBDevice->setup_len) in case it passed the
sanity checks.

This prevents other code (do_token_{in,out} functions specifically)
from working with invalid USBDevice->setup_len values and overrunning
the USBDevice->setup_buf[] buffer.

Fixes: CVE-2020-14364
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Message-id: 20200825053636.29648-1-kraxel@redhat.com
(cherry picked from commit b946434f2659a182afc17e155be6791ebfb302eb)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>