Peter Maydell <peter.mayd...@linaro.org> writes:
> On 18 May 2018 at 19:22, Bandan Das <b...@redhat.com> wrote:
>>
>> CID 1390604
>> If the initiator sends a packet with TYPE_DATA set without
>> initiating a CMD_GET_OBJECT_INFO first, then usb_mtp_get_data
>> can trip on a null s->data_out.
>>
>> Signed-off-by: Bandan Das <b...@redhat.com>
>
> I think you said this can be provoked by the guest?
Yes, this can only be initated by the guest as far as I
understand.
> Misbehaving or malicious guests should never be able
> to provoke assertions.
I am not sure, I thought it's better to kill a misbehaving guest rather
than silently letting it run. Anyway, it's possible to send a
No_Valid_ObjectInfo as well and we wouldn't have to mark it as a
false positive either.
Bandan
>> ---
>> hw/usb/dev-mtp.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
>> index 3d59fe4944..905e025d7f 100644
>> --- a/hw/usb/dev-mtp.c
>> +++ b/hw/usb/dev-mtp.c
>> @@ -1696,6 +1696,7 @@ static void usb_mtp_get_data(MTPState *s,
>> mtp_container *container,
>> uint64_t dlen;
>> uint32_t data_len = p->iov.size;
>>
>> + assert(d != NULL);
>> if (d->first) {
>> /* Total length of incoming data */
>> d->length = cpu_to_le32(container->length) - sizeof(mtp_container);
>> --
>> 2.14.3
>
> thanks
> -- PMM
