From: Markus Armbruster <armbru@redhat.com>
Date: Tue, 14 May 2019 18:03:08 +0000 (+0200)
Subject: gdbstub: Reject invalid RLE repeat counts
X-Git-Tag: v4.1.0-rc0~95^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=046aba169bc21c08823cfbe8d4f3b4ad116ac676;p=thirdparty%2Fqemu.git

gdbstub: Reject invalid RLE repeat counts

"Debugging with GDB / Appendix E GDB Remote Serial Protocol /
Overview" specifies "The printable characters '#' and '$' or with a
numeric value greater than 126 must not be used."  gdb_read_byte()
only rejects values < 32.  This is wrong.  Impact depends on the caller:

* gdb_handlesig() passes a char.  Incorrectly accepts '#', '$' and
  '\127'.

* gdb_chr_receive() passes an uint8_t.  Additionally accepts
  characters with the most-significant bit set.

Correct the validity check to match the specification.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20190514180311.16028-4-armbru@redhat.com>
---

diff --git a/gdbstub.c b/gdbstub.c
index d54abd17cc2..c41eb1de078 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -2064,7 +2064,11 @@ static void gdb_read_byte(GDBState *s, int ch)
             }
             break;
         case RS_GETLINE_RLE:
-            if (ch < ' ') {
+            /*
+             * Run-length encoding is explained in "Debugging with GDB /
+             * Appendix E GDB Remote Serial Protocol / Overview".
+             */
+            if (ch < ' ' || ch == '#' || ch == '$' || ch > 126) {
                 /* invalid RLE count encoding */
                 trace_gdbstub_err_invalid_repeat((uint8_t)ch);
                 s->state = RS_GETLINE;