| commit | 375cb86d9f79d9b92eebdeffdd3eb69ccf7a5187 | |
| author | Daniel P. Berrangé <berrange@redhat.com> | |
| Mon, 15 Apr 2019 15:45:02 +0000 (15 16:45 +0100) | ||
| committer | Peter Maydell <peter.maydell@linaro.org> | |
| Tue, 16 Apr 2019 19:43:39 +0000 (16 20:43 +0100) | ||
| tree | 983652a616cc1fb20e3aca67c91be517d88d6a39 | treesnapshot (tar.gz zip) |
| parent | dbfc49b69afc616227769f4ab928e452ac7af061 | commitdiff |
usb-mtp: fix bounds check for guest provided filename
The ObjectInfo struct has a variable length array containing the UTF-16
encoded filename. The number of characters of trailing data is given by
the 'length' field in the struct and this must be validated against the
size of the data packet received from the guest.
Since the data is UTF-16, we must convert the byte count we have to a
character count before validating. This must take care to truncate if
a malicious guest sent an odd number of bytes.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Bandan Das <bsd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The ObjectInfo struct has a variable length array containing the UTF-16
encoded filename. The number of characters of trailing data is given by
the 'length' field in the struct and this must be validated against the
size of the data packet received from the guest.
Since the data is UTF-16, we must convert the byte count we have to a
character count before validating. This must take care to truncate if
a malicious guest sent an odd number of bytes.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Bandan Das <bsd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| hw/usb/dev-mtp.c | diffblobblamehistory |