Commit 3c969a60 authored May 18, 2018 by Bandan Das Committed by Gerd Hoffmann Jun 12, 2018

usb-mtp: Return error on suspicious TYPE_DATA packet from initiator



CID 1390604
If the initiator sends a packet with TYPE_DATA set without
initiating a CMD_GET_OBJECT_INFO first, then usb_mtp_get_data
can trip on a null s->data_out.

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-Id: <jpgr2m8ajfk.fsf_-_@linux.bootlegged.copy>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

parent 1a3ff20e

hw/usb/dev-mtp.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -1700,6 +1700,11 @@ static void usb_mtp_get_data(MTPState s, mtp_container container,
		uint64_t dlen;
		uint32_t data_len = p->iov.size;

		if (!d) {
		usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, 0,
		0, 0, 0, 0);
		return;
		}
		if (d->first) {
		/* Total length of incoming data */
		d->length = cpu_to_le32(container->length) - sizeof(mtp_container);