usb: sanity check setup_index+setup_len in post_load
CVE-2013-4541 s->setup_len and s->setup_index are fed into usb_packet_copy as size/offset into s->data_buf, it's possible for invalid state to exploit this to load arbitrary data. setup_len and setup_index should be checked to make sure they are not negative. Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
This commit is contained in:
parent
3476436a44
commit
9f8e9895c5
@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)
|
||||
} else {
|
||||
dev->attached = 1;
|
||||
}
|
||||
if (dev->setup_index >= sizeof(dev->data_buf) ||
|
||||
if (dev->setup_index < 0 ||
|
||||
dev->setup_len < 0 ||
|
||||
dev->setup_index >= sizeof(dev->data_buf) ||
|
||||
dev->setup_len >= sizeof(dev->data_buf)) {
|
||||
return -EINVAL;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user