[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 375cb8: usb-mtp: fix bounds check for guest p
|
From: |
Peter Maydell |
|
Subject: |
[Qemu-commits] [qemu/qemu] 375cb8: usb-mtp: fix bounds check for guest provided filename |
|
Date: |
Tue, 16 Apr 2019 15:26:48 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 375cb86d9f79d9b92eebdeffdd3eb69ccf7a5187
https://github.com/qemu/qemu/commit/375cb86d9f79d9b92eebdeffdd3eb69ccf7a5187
Author: Daniel P. Berrangé <address@hidden>
Date: 2019-04-16 (Tue, 16 Apr 2019)
Changed paths:
M hw/usb/dev-mtp.c
Log Message:
-----------
usb-mtp: fix bounds check for guest provided filename
The ObjectInfo struct has a variable length array containing the UTF-16
encoded filename. The number of characters of trailing data is given by
the 'length' field in the struct and this must be validated against the
size of the data packet received from the guest.
Since the data is UTF-16, we must convert the byte count we have to a
character count before validating. This must take care to truncate if
a malicious guest sent an odd number of bytes.
Signed-off-by: Daniel P. Berrangé <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Reviewed-by: Bandan Das <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
Commit: eeba63fc7fface36f438bcbc0d3b02e7dcb59983
https://github.com/qemu/qemu/commit/eeba63fc7fface36f438bcbc0d3b02e7dcb59983
Author: Peter Maydell <address@hidden>
Date: 2019-04-16 (Tue, 16 Apr 2019)
Changed paths:
M VERSION
Log Message:
-----------
Update version for v4.0.0-rc4 release
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/dbfc49b69afc...eeba63fc7ffa
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 375cb8: usb-mtp: fix bounds check for guest provided filename,
Peter Maydell <=