Re: [PATCH] segfault due to buffer overrun in usb-serial

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have not seen response to this. If there are no objections please apply.

Thanks,

David Ahern


On 02/03/2010 09:00 AM, David S. Ahern wrote:
> This fixes a segfault due to buffer overrun in the usb-serial device.
> The memcpy was incrementing the start location by recv_used yet, the
> computation of first_size (how much to write at the end of the buffer
> before wrapping to the front) was not accounting for it. This causes the
> next element after the receive buffer (recv_ptr) to get overwritten with
> random data.
> 
> Signed-off-by: David Ahern <daahern@xxxxxxxxx>
> 
> diff --git a/hw/usb-serial.c b/hw/usb-serial.c
> index 37293ea..c3f3401 100644
> --- a/hw/usb-serial.c
> +++ b/hw/usb-serial.c
> @@ -497,12 +497,28 @@ static int usb_serial_can_read(void *opaque)
>  static void usb_serial_read(void *opaque, const uint8_t *buf, int size)
>  {
>      USBSerialState *s = opaque;
> -    int first_size = RECV_BUF - s->recv_ptr;
> -    if (first_size > size)
> -        first_size = size;
> -    memcpy(s->recv_buf + s->recv_ptr + s->recv_used, buf, first_size);
> -    if (size > first_size)
> -        memcpy(s->recv_buf, buf + first_size, size - first_size);
> +    int first_size, start;
> +
> +    /* room in the buffer? */
> +    if (size > (RECV_BUF - s->recv_used))
> +        size = RECV_BUF - s->recv_used;
> +
> +    start = s->recv_ptr + s->recv_used;
> +    if (start < RECV_BUF) {
> +        /* copy data to end of buffer */
> +        first_size = RECV_BUF - start;
> +        if (first_size > size)
> +            first_size = size;
> +
> +        memcpy(s->recv_buf + start, buf, first_size);
> +
> +        /* wrap around to front if needed */
> +        if (size > first_size)
> +            memcpy(s->recv_buf, buf + first_size, size - first_size);
> +    } else {
> +        start -= RECV_BUF;
> +        memcpy(s->recv_buf + start, buf, size);
> +    }
>      s->recv_used += size;
>  }
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux