Hi:
[QEMU] usb-uhci: Data buffer is too small
The data buffer is only 1280 bytes long but the user-supplied length
can be as large as 0x7ff. This patch extends the buffer to 2048
bytes.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
diff -r 463bda167715 tools/ioemu/hw/usb-uhci.c
--- a/tools/ioemu/hw/usb-uhci.c Wed Nov 29 12:43:11 2006 +0000
+++ b/tools/ioemu/hw/usb-uhci.c Thu Nov 30 16:38:40 2006 +1100
@@ -421,7 +421,7 @@ static int uhci_handle_td(UHCIState *s,
static int uhci_handle_td(UHCIState *s, UHCI_TD *td, int *int_mask)
{
uint8_t pid;
- uint8_t buf[1280];
+ uint8_t buf[2048];
int len, max_len, err, ret;
if (td->ctrl & TD_CTRL_IOC) {
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Aurelien Jarno
2007-Jan-17 10:08 UTC
[Xen-devel] Re: [Qemu-devel] qemu/usb-uhci: Data buffer is too small
On Thu, Nov 30, 2006 at 04:41:41PM +1100, Herbert Xu wrote:> Hi: > > [QEMU] usb-uhci: Data buffer is too small > > The data buffer is only 1280 bytes long but the user-supplied length > can be as large as 0x7ff. This patch extends the buffer to 2048 > bytes. >This patch does not apply to the current CVS, as the variable buf has been moved into a structure. If the problem is still there, I guess the patch below should be applied instead. Index: hw/usb-uhci.c ==================================================================RCS file: /sources/qemu/qemu/hw/usb-uhci.c,v retrieving revision 1.12 diff -u -d -p -r1.12 usb-uhci.c --- hw/usb-uhci.c 12 Aug 2006 01:04:27 -0000 1.12 +++ hw/usb-uhci.c 17 Jan 2007 10:06:16 -0000 @@ -87,7 +87,7 @@ typedef struct UHCIState { is to allow multiple pending requests. */ uint32_t async_qh; USBPacket usb_packet; - uint8_t usb_buf[1280]; + uint8_t usb_buf[2048]; } UHCIState; typedef struct UHCI_TD { -- .''''`. Aurelien Jarno | GPG: 1024D/F1BCDB73 : :'' : Debian developer | Electrical Engineer `. `'' aurel32@debian.org | aurelien@aurel32.net `- people.debian.org/~aurel32 | www.aurel32.net _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Herbert Xu
2007-Jan-17 11:43 UTC
Re: [Xen-devel] Re: [Qemu-devel] qemu/usb-uhci: Data buffer is too small
Aurelien Jarno <aurelien@aurel32.net> wrote:> > This patch does not apply to the current CVS, as the variable buf has > been moved into a structure. If the problem is still there, I guess the > patch below should be applied instead.Yes, unless someone has added a run-time check to cap the length to 1280 bytes then this is still needed. Thanks, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel