Re: [Qemu-devel] [PATCH] usb: check RNDIS buffer offsets & length

2016-02-17 Thread Gerd Hoffmann
On Mi, 2016-02-17 at 13:55 +0530, P J P wrote: > +-- On Tue, 16 Feb 2016, Gerd Hoffmann wrote --+ > | > @@ -172,11 +172,18 @@ static void do_token_in(USBDevice *s, USBPacket *p) > | > assert(p->ep->nr == 0); > | > +if (s->setup_len > sizeof(s->data_buf)) { > | > +fprintf(stderr, >

Re: [Qemu-devel] [PATCH] usb: check RNDIS buffer offsets & length

2016-02-17 Thread P J P
+-- On Tue, 16 Feb 2016, Gerd Hoffmann wrote --+ | > @@ -172,11 +172,18 @@ static void do_token_in(USBDevice *s, USBPacket *p) | > assert(p->ep->nr == 0); | > +if (s->setup_len > sizeof(s->data_buf)) { | > +fprintf(stderr, | > +"usb_generic_handle_packet: ctrl

Re: [Qemu-devel] [PATCH] usb: check RNDIS buffer offsets & length

2016-02-16 Thread P J P
Hello Gerd, +-- On Tue, 16 Feb 2016, Gerd Hoffmann wrote --+ | Moves up the check so it is done for every control xfer. Good. ... | Why this is needed? All control transfers go through do_token_setup | first, so with the check moved in do_token_setup we should never ever | trigger it here

Re: [Qemu-devel] [PATCH] usb: check RNDIS buffer offsets & length

2016-02-16 Thread Gerd Hoffmann
> diff --git a/hw/usb/core.c b/hw/usb/core.c > index d0025db..9d90ec7 100644 > --- a/hw/usb/core.c > +++ b/hw/usb/core.c > @@ -128,9 +128,16 @@ static void do_token_setup(USBDevice *s, USBPacket *p) > } > > usb_packet_copy(p, s->setup_buf, p->iov.size); > +s->setup_index = 0; >

Re: [Qemu-devel] [PATCH] usb: check RNDIS buffer offsets & length

2016-02-15 Thread Gerd Hoffmann
On Mo, 2016-02-15 at 09:56 +0530, P J P wrote: > +-- On Tue, 9 Feb 2016, P J P wrote --+ > | +-- On Fri, 5 Feb 2016, P J P wrote --+ > | | From: Prasad J Pandit > | | > | | When processing remote NDIS control message packets, the USB Net > | | device emulator uses a fixed

Re: [Qemu-devel] [PATCH] usb: check RNDIS buffer offsets & length

2016-02-14 Thread P J P
+-- On Tue, 9 Feb 2016, P J P wrote --+ | +-- On Fri, 5 Feb 2016, P J P wrote --+ | | From: Prasad J Pandit | | | | When processing remote NDIS control message packets, the USB Net | | device emulator uses a fixed length(4096) data buffer. The incoming | |

Re: [Qemu-devel] [PATCH] usb: check RNDIS buffer offsets & length

2016-02-09 Thread P J P
+-- On Fri, 5 Feb 2016, P J P wrote --+ | From: Prasad J Pandit | | When processing remote NDIS control message packets, the USB Net | device emulator uses a fixed length(4096) data buffer. The incoming | informationBufferOffset & Length combination could cross that

[Qemu-devel] [PATCH] usb: check RNDIS buffer offsets & length

2016-02-05 Thread P J P
From: Prasad J Pandit When processing remote NDIS control message packets, the USB Net device emulator uses a fixed length(4096) data buffer. The incoming informationBufferOffset & Length combination could cross that range. Check control message buffer offsets and length