In xhci_get_port_bandwidth(), we use a variable-length array to
construct the buffer to send back to the guest. Avoid the VLA
by using dma_memory_set() to directly request the memory system
to fill the guest memory with a string of '80's.
The codebase has very few VLAs, and if we can get rid of them all we
can make the compiler error on new additions. This is a defensive
measure against security bugs where an on-stack dynamic allocation
isn't correctly size-checked (e.g. CVE-2021-3527).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
Use of dma_memory_set() is a suggestion from RTH from Philippe's
original attempt. If we ever do anything about the "use real
values" TODO we'll need to do something else (eg heap-allocated
array), but since we haven't done so since the code was written
in 2012 it doesn't seem very likely we'll ever do so.
---
hw/usb/hcd-xhci.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)