Commit 719ffe1f authored May 13, 2014 by Michael S. Tsirkin Committed by Juan Quintela May 14, 2014

usb: fix up post load checks



Correct post load checks:
1. dev->setup_len == sizeof(dev->data_buf)
    seems fine, no need to fail migration
2. When state is DATA, passing index > len
   will cause memcpy with negative length,
   resulting in heap overflow

First of the issues was reported by dgilbert.

Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

parent d6ed7312

hw/usb/bus.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id)
		}
		if (dev->setup_index < 0 \|\|
		dev->setup_len < 0 \|\|
		dev->setup_index >= sizeof(dev->data_buf) \|\|
		dev->setup_len >= sizeof(dev->data_buf)) {
		dev->setup_index > dev->setup_len \|\|
		dev->setup_len > sizeof(dev->data_buf)) {
		return -EINVAL;
		}
		return 0;