Skip to content
GitLab
Commit f243bb4b authored by Gerd Hoffmann's avatar Gerd Hoffmann Committed by Michael Roth
Browse files

usb: fix setup_len init (CVE-2020-14364) 


Store calculated setup_len in a local variable, verify it, and only
write it to the struct (USBDevice->setup_len) in case it passed the
sanity checks.

This prevents other code (do_token_{in,out} functions specifically)
from working with invalid USBDevice->setup_len values and overrunning
the USBDevice->setup_buf[] buffer.

Fixes: CVE-2020-14364
Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
Tested-by: default avatarGonglei <arei.gonglei@huawei.com>
Reviewed-by: default avatarLi Qiang <liq3ea@gmail.com>
Message-id: 20200825053636.29648-1-kraxel@redhat.com
(cherry picked from commit b946434f

)
Signed-off-by: default avatarMichael Roth <mdroth@linux.vnet.ibm.com>
parent a575af07
Hide whitespace changes
Inline Side-by-side
Showing
with 10 additions and 6 deletions
+10 -6
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment