summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHans de Goede <hdegoede@redhat.com>2011-02-02 17:46:00 +0100
committerGerd Hoffmann <kraxel@redhat.com>2011-05-04 12:25:52 +0200
commit19f3322379c25a235eb1ec6335676549109fa625 (patch)
treed833d9d4e6e0d8f0cd7bbb9e57a554ed1c7d1e1a
parentbb6d5498c6756eba3d0779c7753fc8830a8a9078 (diff)
downloadqemu-19f3322379c25a235eb1ec6335676549109fa625.tar.gz
qemu-19f3322379c25a235eb1ec6335676549109fa625.tar.bz2
qemu-19f3322379c25a235eb1ec6335676549109fa625.zip
usb: control buffer fixes
Windows allows control transfers to pass up to 4k of data, so raise our control buffer size to 4k. For control out transfers the usb core code copies the control request data to a buffer before calling the device's handle_control callback. Add a check for overflowing the buffer before copying the data. Signed-off-by: Hans de Goede <hdegoede@redhat.com>
-rw-r--r--hw/usb.c6
-rw-r--r--hw/usb.h2
2 files changed, 7 insertions, 1 deletions
diff --git a/hw/usb.c b/hw/usb.c
index 82a6217a0b..d8c0a75c3a 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -93,6 +93,12 @@ static int do_token_setup(USBDevice *s, USBPacket *p)
s->setup_len = ret;
s->setup_state = SETUP_STATE_DATA;
} else {
+ if (s->setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+ s->setup_len, sizeof(s->data_buf));
+ return USB_RET_STALL;
+ }
if (s->setup_len == 0)
s->setup_state = SETUP_STATE_ACK;
else
diff --git a/hw/usb.h b/hw/usb.h
index d3d755db7b..22bb3385ba 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -167,7 +167,7 @@ struct USBDevice {
int32_t state;
uint8_t setup_buf[8];
- uint8_t data_buf[1024];
+ uint8_t data_buf[4096];
int32_t remote_wakeup;
int32_t setup_state;
int32_t setup_len;