| commit | f8324611c1ec100fd601842d3943cbf8acd1420f | |
| author | Peter Maydell <peter.maydell@linaro.org> | |
| Thu, 24 Aug 2023 16:48:18 +0000 (24 17:48 +0100) | ||
| committer | Philippe Mathieu-Daudé <philmd@linaro.org> | |
| Thu, 31 Aug 2023 17:47:43 +0000 (31 19:47 +0200) | ||
| tree | d4904a110956b8516b51ed84e741bf0a5e58c28b | treesnapshot (tar.gz zip) |
| parent | 2a8537cfbcf3d0a14e88c5bb42a43a6c8ed5955e | commitdiff |
hw/usb/hcd-xhci: Avoid variable-length array in xhci_get_port_bandwidth()
In xhci_get_port_bandwidth(), we use a variable-length array to
construct the buffer to send back to the guest. Avoid the VLA
by using dma_memory_set() to directly request the memory system
to fill the guest memory with a string of '80's.
The codebase has very few VLAs, and if we can get rid of them all we
can make the compiler error on new additions. This is a defensive
measure against security bugs where an on-stack dynamic allocation
isn't correctly size-checked (e.g. CVE-2021-3527).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20230824164818.2652452-1-peter.maydell@linaro.org>
In xhci_get_port_bandwidth(), we use a variable-length array to
construct the buffer to send back to the guest. Avoid the VLA
by using dma_memory_set() to directly request the memory system
to fill the guest memory with a string of '80's.
The codebase has very few VLAs, and if we can get rid of them all we
can make the compiler error on new additions. This is a defensive
measure against security bugs where an on-stack dynamic allocation
isn't correctly size-checked (e.g. CVE-2021-3527).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20230824164818.2652452-1-peter.maydell@linaro.org>
| hw/usb/hcd-xhci.c | diffblobblamehistory |