15c35dfd92
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| Makefile.objs | ||
| bus.c | ||
| ccid-card-emulated.c | ||
| ccid-card-passthru.c | ||
| ccid.h | ||
| combined-packet.c | ||
| core.c | ||
| desc-msos.c | ||
| desc.c | ||
| desc.h | ||
| dev-audio.c | ||
| dev-bluetooth.c | ||
| dev-hid.c | ||
| dev-hub.c | ||
| dev-network.c | ||
| dev-serial.c | ||
| dev-smartcard-reader.c | ||
| dev-storage.c | ||
| dev-uas.c | ||
| dev-wacom.c | ||
| hcd-ehci-pci.c | ||
| hcd-ehci-sysbus.c | ||
| hcd-ehci.c | ||
| hcd-ehci.h | ||
| hcd-musb.c | ||
| hcd-ohci.c | ||
| hcd-uhci.c | ||
| hcd-xhci.c | ||
| host-legacy.c | ||
| host-libusb.c | ||
| host-stub.c | ||
| host.h | ||
| libhw.c | ||
| quirks-ftdi-ids.h | ||
| quirks-pl2303-ids.h | ||
| quirks.c | ||
| quirks.h | ||
| redirect.c | ||