ExternalVendorCode/genode
1
0
Fork 0
mirror of https://github.com/genodelabs/genode.git synced 2025-02-21 10:01:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

qemu-usb: only copy data when packet succeeded

Browse Source 
In case the packet is erronous the value of 'actual_size' can be
invalid and using it may lead to a page-fault due to out-of-bounce
access.

With this commit access is only performed on successful packets.

Fixes #4763.
This commit is contained in:
Josef Söntgen 2023-02-13 11:10:23 +01:00 committed by Christian Helmuth
parent e2c334d6e4
commit 8145ff6303
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
repos/libports/src/lib/qemu-usb/host.cc
View File

@ -162,15 +162,16 @@ struct Completion : Usb::Completion
p->actual_length = 0; p->actual_length = 0;
if (p->pid == USB_TOKEN_IN && actual_size > 0) { if (packet.succeded) {
if (data) Genode::memcpy(data, content, actual_size);
else usb_packet_copy(p, content, actual_size);
}
p->actual_length = actual_size; if (p->pid == USB_TOKEN_IN && actual_size > 0) {
if (data) Genode::memcpy(data, content, actual_size);
else usb_packet_copy(p, content, actual_size);
}
if (packet.succeded) p->actual_length = actual_size;
p->status = USB_RET_SUCCESS; p->status = USB_RET_SUCCESS;
}
else { else {
if (packet.error == Packet_error::STALL_ERROR) if (packet.error == Packet_error::STALL_ERROR)
p->status = USB_RET_STALL; p->status = USB_RET_STALL;