From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 25 Apr 2014 10:05:15 +0000 (+0200)
Subject: usb: mtp: fix possible buffer overflow
X-Git-Tag: v2.1.0-rc0~147^2~1
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=afa82daf1627645d3ad3e05954b098fff001ab32;p=users%2Fdwmw2%2Fqemu.git

usb: mtp: fix possible buffer overflow

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
---

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index b6eaeae17a..62428d8e7b 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -998,6 +998,14 @@ static void usb_mtp_handle_data(USBDevice *dev, USBPacket *p)
             cmd.argc = (le32_to_cpu(container.length) - sizeof(container))
                 / sizeof(uint32_t);
             cmd.trans = le32_to_cpu(container.trans);
+            if (cmd.argc > ARRAY_SIZE(cmd.argv)) {
+                cmd.argc = ARRAY_SIZE(cmd.argv);
+            }
+            if (p->iov.size < sizeof(container) + cmd.argc * sizeof(uint32_t)) {
+                trace_usb_mtp_stall(s->dev.addr, "packet too small");
+                p->status = USB_RET_STALL;
+                return;
+            }
             usb_packet_copy(p, &params, cmd.argc * sizeof(uint32_t));
             for (i = 0; i < cmd.argc; i++) {
                 cmd.argv[i] = le32_to_cpu(params[i]);