From: Gerd Hoffmann <kraxel@redhat.com> Date: Fri, 25 Apr 2014 10:05:15 +0000 (+0200) Subject: usb: mtp: fix possible buffer overflow X-Git-Tag: v2.1.0-rc0~147^2~1 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=afa82daf1627645d3ad3e05954b098fff001ab32;p=users%2Fdwmw2%2Fqemu.git usb: mtp: fix possible buffer overflow Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> --- diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index b6eaeae17a..62428d8e7b 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -998,6 +998,14 @@ static void usb_mtp_handle_data(USBDevice *dev, USBPacket *p) cmd.argc = (le32_to_cpu(container.length) - sizeof(container)) / sizeof(uint32_t); cmd.trans = le32_to_cpu(container.trans); + if (cmd.argc > ARRAY_SIZE(cmd.argv)) { + cmd.argc = ARRAY_SIZE(cmd.argv); + } + if (p->iov.size < sizeof(container) + cmd.argc * sizeof(uint32_t)) { + trace_usb_mtp_stall(s->dev.addr, "packet too small"); + p->status = USB_RET_STALL; + return; + } usb_packet_copy(p, ¶ms, cmd.argc * sizeof(uint32_t)); for (i = 0; i < cmd.argc; i++) { cmd.argv[i] = le32_to_cpu(params[i]);