mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

hcd-musb: fix dereference null return value

Browse Source 
usb_ep_get and usb_handle_packet can deal with a NULL device, but we have
to avoid dereferencing NULL pointers when building the id.

Thanks to Gonglei for an initial stab at fixing this.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Paolo Bonzini 2014-11-17 11:57:23 +01:00
parent fae38221e7
commit a9be76576e
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hw/usb/hcd-musb.c
View File

@ -608,6 +608,7 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
USBDevice *dev;
USBEndpoint *uep;
int idx = epnum && dir;
int id;
int ttype;
/* ep->type[0,1] contains:
@ -625,8 +626,11 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
/* A wild guess on the FADDR semantics... */
dev = usb_find_device(&s->port, ep->faddr[idx]);
uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
usb_packet_setup(&ep->packey[dir].p, pid, uep, 0,
(dev->addr << 16) | (uep->nr << 8) | pid, false, true);
id = pid;
if (uep) {
id |= (dev->addr << 16) | (uep->nr << 8);
}
usb_packet_setup(&ep->packey[dir].p, pid, uep, 0, id, false, true);
usb_packet_addbuf(&ep->packey[dir].p, ep->buf[idx], len);
ep->packey[dir].ep = ep;
ep->packey[dir].dir = dir;