From 375cb86d9f79d9b92eebdeffdd3eb69ccf7a5187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 15 Apr 2019 16:45:02 +0100 Subject: [PATCH] usb-mtp: fix bounds check for guest provided filename MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ObjectInfo struct has a variable length array containing the UTF-16 encoded filename. The number of characters of trailing data is given by the 'length' field in the struct and this must be validated against the size of the data packet received from the guest. Since the data is UTF-16, we must convert the byte count we have to a character count before validating. This must take care to truncate if a malicious guest sent an odd number of bytes. Signed-off-by: Daniel P. Berrangé Reviewed-by: Peter Maydell Reviewed-by: Bandan Das Signed-off-by: Peter Maydell --- hw/usb/dev-mtp.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index ebf210fbf8..99548b012d 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1699,12 +1699,19 @@ static void usb_mtp_write_metadata(MTPState *s, uint64_t dlen) MTPObject *o; MTPObject *p = usb_mtp_object_lookup(s, s->dataset.parent_handle); uint32_t next_handle = s->next_handle; + size_t filename_chars = dlen - offsetof(ObjectInfo, filename); + + /* + * filename is utf-16. We're intentionally doing + * integer division to truncate if malicious guest + * sent an odd number of bytes. + */ + filename_chars /= 2; assert(!s->write_pending); assert(p != NULL); - filename = utf16_to_str(MIN(dataset->length, - dlen - offsetof(ObjectInfo, filename)), + filename = utf16_to_str(MIN(dataset->length, filename_chars), dataset->filename); if (strchr(filename, '/')) {