Better check of cmd_len, avoids possible overflow or failing asserts,
specification state that range should be 1-16.
---
src/cd-usb-bulk-msd.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/cd-usb-bulk-msd.c b/src/cd-usb-bulk-msd.c
index ab6644f3..95365163 100644
--- a/src/cd-usb-bulk-msd.c
+++ b/src/cd-usb-bulk-msd.c
@@ -272,6 +272,10 @@ static int parse_usb_msd_cmd(UsbCdBulkMsdDevice *cd, uint8_t *buf, uint32_t cbw_
SPICE_ERROR("CMD: Bad CBW signature:%08x", le32toh(cbw->sig));
return -1;
}
+ if (cbw->cmd_len < 1 || cbw->cmd_len >= 16) {
+ SPICE_ERROR("CMD: Bad CBW command len:%08x", cbw->cmd_len);
+ return -1;
+ }
usb_req->lun = cbw->lun;
usb_req->usb_tag = le32toh(cbw->tag);
@@ -295,7 +299,7 @@ static int parse_usb_msd_cmd(UsbCdBulkMsdDevice *cd, uint8_t *buf, uint32_t cbw_
scsi_req->buf_len = 0;
}
- scsi_req->cdb_len = ((uint32_t)cbw->cmd_len) & 0x1F;
+ scsi_req->cdb_len = cbw->cmd_len;
g_assert(scsi_req->cdb_len <= sizeof(scsi_req->cdb));
memcpy(scsi_req->cdb, cbw->cmd, scsi_req->cdb_len);
--
2.20.1
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel