From: Gerd Hoffmann <kra...@redhat.com>
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked against data_buf size.
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
---
hw/usb/bus.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index fe70429..8052bf1 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -53,6 +53,10 @@ static int usb_device_post_load(void *opaque, int version_id)
dev->setup_len >= sizeof(dev->data_buf)) {
return -EINVAL;
}
+ if (dev->setup_index >= sizeof(dev->data_buf) ||
+ dev->setup_len >= sizeof(dev->data_buf)) {
+ return -EINVAL;
+ }
return 0;
}
--
MST
