Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
qemu-linux-user
0407-usb-hid-avoid-dynamic-stack-allocat.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0407-usb-hid-avoid-dynamic-stack-allocat.patch of Package qemu-linux-user
From: Gerd Hoffmann <kraxel@redhat.com> Date: Mon, 3 May 2021 15:29:11 +0200 Subject: usb/hid: avoid dynamic stack allocation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 3f67e2e7f135b8be4117f3c2960e78d894feaa03 References: bsc#1186012, CVE-2021-3527 Use autofree heap allocation instead. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210503132915.2335822-2-kraxel@redhat.com> Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com> --- hw/usb/dev-hid.c | 5 ++++- hw/usb/dev-wacom.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/hw/usb/dev-hid.c b/hw/usb/dev-hid.c index 24d05f76f90c559122198e4a4907..0fb822957b980c44b7f0162ca795 100644 --- a/hw/usb/dev-hid.c +++ b/hw/usb/dev-hid.c @@ -658,7 +658,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p) { USBHIDState *us = USB_HID(dev); HIDState *hs = &us->hid; - uint8_t buf[p->iov.size]; + uint8_t *buf = g_malloc(p->iov.size); int len = 0; switch (p->pid) { @@ -669,6 +669,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p) } if (!hid_has_events(hs)) { p->status = USB_RET_NAK; + g_free(buf); return; } hid_set_next_idle(hs); @@ -688,6 +689,8 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p) p->status = USB_RET_STALL; break; } + + g_free(buf); } static void usb_hid_handle_destroy(USBDevice *dev) diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c index c4702dbba098abcec3798f3731c2..64ebe864bc95eae22d4a7d903a1c 100644 --- a/hw/usb/dev-wacom.c +++ b/hw/usb/dev-wacom.c @@ -304,7 +304,7 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p, static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p) { USBWacomState *s = (USBWacomState *) dev; - uint8_t buf[p->iov.size]; + uint8_t *buf = g_malloc(p->iov.size); int len = 0; switch (p->pid) { @@ -312,6 +312,7 @@ static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p) if (p->ep->nr == 1) { if (!(s->changed || s->idle)) { p->status = USB_RET_NAK; + g_free(buf); return; } s->changed = 0; @@ -327,6 +328,8 @@ static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p) default: p->status = USB_RET_STALL; } + + g_free(buf); } static void usb_wacom_handle_destroy(USBDevice *dev)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor