On Tue, Nov 09, 2010 at 10:30:54AM +0100, Markus Armbruster wrote:
> Gleb Natapov <g...@redhat.com> writes:
>
> > Properly check array bounds before accessing array element.
>
> Impact?
>
Gapping security hole for those unfortunate enough to use usb-net?
> Apply to stable as well?
>
Definitely. Actually for me Windows7 crashed when usb-net is present.
> > Signed-off-by: Gleb Natapov <g...@redhat.com>
> > diff --git a/hw/usb-net.c b/hw/usb-net.c
> > index 70f9263..84e2d79 100644
> > --- a/hw/usb-net.c
> > +++ b/hw/usb-net.c
> > @@ -1142,7 +1142,7 @@ static int usb_net_handle_control(USBDevice *dev, int
> > request, int value,
> > break;
> >
> > default:
> > - if (usb_net_stringtable[value & 0xff]) {
> > + if (ARRAY_SIZE(usb_net_stringtable) > (value & 0xff)) {
> > ret = set_usb_string(data,
> > usb_net_stringtable[value & 0xff]);
> > break;
>
> Makes sense.
>
> Nitpick: LIMIT > INDEX looks unusual to me; INDEX < LIMIT is more
> common.
--
Gleb.
