Filter cmd_len bits, specifications state it's a 5 bit field
Although higher bits of the byte are reserved and should be zero
filter them out.
Also accept 16 as length.
---
src/cd-usb-bulk-msd.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/cd-usb-bulk-msd.c b/src/cd-usb-bulk-msd.c
index cb0ad91c..49e01eb6 100644
--- a/src/cd-usb-bulk-msd.c
+++ b/src/cd-usb-bulk-msd.c
@@ -271,8 +271,9 @@ static int parse_usb_msd_cmd(UsbCdBulkMsdDevice *cd, uint8_t *buf, uint32_t cbw_
SPICE_ERROR("CMD: Bad CBW signature:%08x", le32toh(cbw->sig));
return -1;
}
- if (cbw->cmd_len < 1 || cbw->cmd_len >= 16) {
- SPICE_ERROR("CMD: Bad CBW command len:%08x", cbw->cmd_len);
+ const uint8_t cmd_len = cbw->cmd_len & 0x1F;
+ if (cmd_len < 1 || cmd_len > 16) {
+ SPICE_ERROR("CMD: Bad CBW command len:%08x", cmd_len);
return -1;
}
@@ -297,7 +298,7 @@ static int parse_usb_msd_cmd(UsbCdBulkMsdDevice *cd, uint8_t *buf, uint32_t cbw_
scsi_req->buf_len = 0;
}
- scsi_req->cdb_len = cbw->cmd_len;
+ scsi_req->cdb_len = cmd_len;
g_assert(scsi_req->cdb_len <= sizeof(scsi_req->cdb));
memcpy(scsi_req->cdb, cbw->cmd, scsi_req->cdb_len);
--
2.20.1
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel