usb: sanity check setup_index+setup_len in post_load - qemu

diff options

author	Michael S. Tsirkin <mst@redhat.com>	2014-04-03 19:52:25 +0300
committer	Juan Quintela <quintela@redhat.com>	2014-05-05 22:15:03 +0200
commit	9f8e9895c504149d7048e9fc5eb5cbb34b16e49a (patch)
tree	4d13c798595979f4650e00acfb74a03fc54047da /target-openrisc/exception_helper.c
parent	vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/ (diff)
download	qemu-9f8e9895c504149d7048e9fc5eb5cbb34b16e49a.tar.xz qemu-9f8e9895c504149d7048e9fc5eb5cbb34b16e49a.zip

usb: sanity check setup_index+setup_len in post_load

CVE-2013-4541 s->setup_len and s->setup_index are fed into usb_packet_copy as size/offset into s->data_buf, it's possible for invalid state to exploit this to load arbitrary data. setup_len and setup_index should be checked to make sure they are not negative. Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>

Diffstat (limited to 'target-openrisc/exception_helper.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: