segfault due to buffer overrun in usb-serial

Message ID	4B699DB6.4090604@cisco.com (mailing list archive)
State	New, archived
Headers	show Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter.kernel.org (8.14.3/8.14.3) with ESMTP id o13G17Y5023519 for <patchwork-kvm@patchwork.kernel.org>; Wed, 3 Feb 2010 16:01:07 GMT Message-ID: <4B699DB6.4090604@cisco.com> Date: Wed, 03 Feb 2010 09:00:54 -0700 From: "David S. Ahern" <daahern@cisco.com> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.7) Gecko/20100120 Fedora/3.0.1-1.fc11 Thunderbird/3.0.1 MIME-Version: 1.0 To: qemu-devel@nongnu.org CC: kvm-devel <kvm@vger.kernel.org> Subject: [PATCH] segfault due to buffer overrun in usb-serial Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: kvm-owner@vger.kernel.org Precedence: bulk

Message ID

4B699DB6.4090604@cisco.com (mailing list archive)

State

New, archived

Headers

Message-ID: <4B699DB6.4090604@cisco.com>
Date: Wed, 03 Feb 2010 09:00:54 -0700
From: "David S. Ahern" <daahern@cisco.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1.7) Gecko/20100120 Fedora/3.0.1-1.fc11 Thunderbird/3.0.1
MIME-Version: 1.0
To: qemu-devel@nongnu.org
CC: kvm-devel <kvm@vger.kernel.org>
Subject: [PATCH] segfault due to buffer overrun in usb-serial
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: kvm-owner@vger.kernel.org
Precedence: bulk

Commit Message

David S. Ahern Feb. 3, 2010, 4 p.m. UTC

None

diff --git a/hw/usb-serial.c b/hw/usb-serial.c
index 37293ea..c3f3401 100644
--- a/hw/usb-serial.c
+++ b/hw/usb-serial.c
@@ -497,12 +497,28 @@  static int usb_serial_can_read(void *opaque)
 static void usb_serial_read(void *opaque, const uint8_t *buf, int size)
 {
     USBSerialState *s = opaque;
-    int first_size = RECV_BUF - s->recv_ptr;
-    if (first_size > size)
-        first_size = size;
-    memcpy(s->recv_buf + s->recv_ptr + s->recv_used, buf, first_size);
-    if (size > first_size)
-        memcpy(s->recv_buf, buf + first_size, size - first_size);
+    int first_size, start;
+
+    /* room in the buffer? */
+    if (size > (RECV_BUF - s->recv_used))
+        size = RECV_BUF - s->recv_used;
+
+    start = s->recv_ptr + s->recv_used;
+    if (start < RECV_BUF) {
+        /* copy data to end of buffer */
+        first_size = RECV_BUF - start;
+        if (first_size > size)
+            first_size = size;
+
+        memcpy(s->recv_buf + start, buf, first_size);
+
+        /* wrap around to front if needed */
+        if (size > first_size)
+            memcpy(s->recv_buf, buf + first_size, size - first_size);
+    } else {
+        start -= RECV_BUF;
+        memcpy(s->recv_buf + start, buf, size);
+    }
     s->recv_used += size;
 }

segfault due to buffer overrun in usb-serial

Commit Message

Patch