qemu/hw/usb
Gerd Hoffmann 0136464d10 usb: fix serial generator
snprintf return value is *not* the number of chars written into the
buffer, but the number of chars needed.  So in case the buffer is too
small you can go alloc a bigger one and try again.  But that also means
you can't simply use the return value for the next snprintf call
without checking beforehand that things did actually fit.

Problem is that usb_desc_create_serial didn't perform that check, so a
loooong path string (can happen with deep pci-bridge nesting) results in
the third snprintf call smashing the stack.

Fix this by throwing out all the snpintf calls and use g_strdup_printf
instead.

https://bugzilla.redhat.com/show_bug.cgi?id=1381630

Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1475659998-22045-1-git-send-email-kraxel@redhat.com
2016-10-12 14:37:15 +02:00
..
bus.c usb: free USBDevice.strings 2016-08-08 00:00:32 +04:00
ccid-card-emulated.c event-notifier: Add "is_external" parameter 2016-04-22 16:43:56 +02:00
ccid-card-passthru.c hw: replace most use of qemu_chr_fe_write with qemu_chr_fe_write_all 2016-09-13 19:09:42 +02:00
ccid.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
combined-packet.c usb: Clean up includes 2016-01-29 15:07:23 +00:00
core.c usb: check RNDIS message length 2016-02-23 10:38:00 +01:00
desc-msos.c usb: Clean up includes 2016-01-29 15:07:23 +00:00
desc.c usb: fix serial generator 2016-10-12 14:37:15 +02:00
desc.h all: Clean up includes 2016-02-23 12:43:05 +00:00
dev-audio.c usb: Clean up includes 2016-01-29 15:07:23 +00:00
dev-bluetooth.c usb: Clean up includes 2016-01-29 15:07:23 +00:00
dev-hid.c include/qemu/osdep.h: Don't include qapi/error.h 2016-03-22 22:20:15 +01:00
dev-hub.c include/qemu/osdep.h: Don't include qapi/error.h 2016-03-22 22:20:15 +01:00
dev-mtp.c usb-mtp: added object properties 2016-09-14 11:17:06 +02:00
dev-network.c net: Use correct type for bool flag 2016-07-19 20:18:27 +02:00
dev-serial.c hw: replace most use of qemu_chr_fe_write with qemu_chr_fe_write_all 2016-09-13 19:09:42 +02:00
dev-smartcard-reader.c include/qemu/osdep.h: Don't include qapi/error.h 2016-03-22 22:20:15 +01:00
dev-storage.c block/qdev: Allow configuring WCE with qdev properties 2016-07-13 13:32:27 +02:00
dev-uas.c usb-uas: hotplug support 2016-06-22 12:53:26 +02:00
dev-wacom.c usb: Clean up includes 2016-01-29 15:07:23 +00:00
hcd-ehci-pci.c usb: Clean up includes 2016-01-29 15:07:23 +00:00
hcd-ehci-sysbus.c usb: Clean up includes 2016-01-29 15:07:23 +00:00
hcd-ehci.c usb: ehci: fix memory leak in ehci_process_itd 2016-10-08 11:25:29 +03:00
hcd-ehci.h Clean up header guards that don't match their file name 2016-07-12 16:19:16 +02:00
hcd-musb.c Replaced get_tick_per_sec() by NANOSECONDS_PER_SECOND 2016-03-22 22:20:17 +01:00
hcd-ohci.c remove useless muldiv64() 2016-06-07 18:02:49 +03:00
hcd-uhci.c usb/uhci: move pid check 2016-04-25 12:05:05 +01:00
hcd-xhci.c xhci: make xhci_epid_to_usbep accept XHCIEPContext 2016-10-12 12:37:31 +02:00
host-legacy.c usb: Clean up includes 2016-01-29 15:07:23 +00:00
host-libusb.c usb-host: fix streams detection in usb_host_speed_compat 2016-09-13 09:19:26 +02:00
host-stub.c usb: Clean up includes 2016-01-29 15:07:23 +00:00
host.h usb-host: move legacy cmd line bits 2013-02-19 12:30:05 +01:00
libhw.c usb: Clean up includes 2016-01-29 15:07:23 +00:00
Makefile.objs xen: add pvUSB backend 2016-05-23 13:30:03 +02:00
quirks-ftdi-ids.h usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
quirks-pl2303-ids.h usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
quirks.c usb: Clean up includes 2016-01-29 15:07:23 +00:00
quirks.h usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
redirect.c usbredir: add streams property 2016-07-20 13:31:20 +02:00
trace-events trace-events: fix first line comment in trace-events 2016-08-12 10:36:01 +01:00
tusb6010.c Replaced get_tick_per_sec() by NANOSECONDS_PER_SECOND 2016-03-22 22:20:17 +01:00
xen-usb.c xen: drain submit queue in xen-usb before removing device 2016-08-03 10:29:10 +02:00