usb: control buffer fixesusb-patches

Windows allows control transfers to pass up to 4k of data, so raise our control buffer size to 4k. For control out transfers the usb core code copies the control request data to a buffer before calling the device's handle_control callback. Add a check for overflowing the buffer before copying the data. Signed-off-by: Hans de Goede <hdegoede@redhat.com>
author: Hans de Goede <hdegoede@redhat.com> 2011-02-02 17:46:00 +0100
committer: Hans de Goede <hdegoede@redhat.com> 2011-05-02 18:07:37 +0200
commit: cf0bb5a7d3fdbf87ad1ad8aa9e957315b042e7e1 (patch)
tree: 2a0d522e906b3d0ce441cb1d5c2571449060fbbb
parent: 88ccd179226a29d6a379366ec9f4ceee6589bc6c (diff)
2 files changed, 7 insertions, 1 deletions
diff --git a/hw/usb.c b/hw/usb.c
index b0264872d2..092a4a7ac3 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -98,6 +98,12 @@ static int do_token_setup(USBDevice *s, USBPacket *p)
             s->setup_len = ret;
         s->setup_state = SETUP_STATE_DATA;
     } else {
+        if (s->setup_len > sizeof(s->data_buf)) {
+            fprintf(stderr,
+                "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+                s->setup_len, sizeof(s->data_buf));
+            return USB_RET_STALL;
+        }
         if (s->setup_len == 0)
             s->setup_state = SETUP_STATE_ACK;
         else
diff --git a/hw/usb.h b/hw/usb.h
index 4ff931c7dd..6d6fd9e5ad 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -167,7 +167,7 @@ struct USBDevice {
 
     int32_t state;
     uint8_t setup_buf[8];
-    uint8_t data_buf[1024];
+    uint8_t data_buf[4096];
     int32_t remote_wakeup;
     int32_t setup_state;
     int32_t setup_len;
author	Hans de Goede <hdegoede@redhat.com>	2011-02-02 17:46:00 +0100
committer	Hans de Goede <hdegoede@redhat.com>	2011-05-02 18:07:37 +0200
commit	cf0bb5a7d3fdbf87ad1ad8aa9e957315b042e7e1 (patch)
tree	2a0d522e906b3d0ce441cb1d5c2571449060fbbb
parent	88ccd179226a29d6a379366ec9f4ceee6589bc6c (diff)