usb: fix setup_len init (CVE-2020-14364)
authorGerd Hoffmann <kraxel@redhat.com>
Tue, 25 Aug 2020 05:36:36 +0000 (07:36 +0200)
committerGerd Hoffmann <kraxel@redhat.com>
Mon, 31 Aug 2020 06:23:39 +0000 (08:23 +0200)
commitb946434f2659a182afc17e155be6791ebfb302eb
treed0b25ff035e1bfa46b0349e8dfdea112c9eaa49c
parent202d69a715a4b1824dcd7ec1683d027ed2bae6d3
usb: fix setup_len init (CVE-2020-14364)

Store calculated setup_len in a local variable, verify it, and only
write it to the struct (USBDevice->setup_len) in case it passed the
sanity checks.

This prevents other code (do_token_{in,out} functions specifically)
from working with invalid USBDevice->setup_len values and overrunning
the USBDevice->setup_buf[] buffer.

Fixes: CVE-2020-14364
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Message-id: 20200825053636.29648-1-kraxel@redhat.com
hw/usb/core.c